yarn outdated fails when scoped packages are present in package.json

[Jessidhia]

Can be reproduced with:

mkdir folder
cd folder
yes '' | yarn init # all defaults, doesn't matter
yarn add @types/react # or any other scoped package
yarn outdated

yarn outdated v0.15.1
error https://registry.yarnpkg.com/@types/react: Not found
    at Request.params.callback [as _callback] (/Users/kovensky/.nodenv/versions/6.7.0/lib/node_modules/yarnpkg/lib/util/request-manager.js:273:18)
    at Request.self.callback (/Users/kovensky/.nodenv/versions/6.7.0/lib/node_modules/yarnpkg/node_modules/request/request.js:187:22)
    at emitTwo (events.js:106:13)
    at Request.emit (events.js:191:7)
    at Request.<anonymous> (/Users/kovensky/.nodenv/versions/6.7.0/lib/node_modules/yarnpkg/node_modules/request/request.js:1048:10)
    at emitOne (events.js:96:13)
    at Request.emit (events.js:188:7)
    at IncomingMessage.<anonymous> (/Users/kovensky/.nodenv/versions/6.7.0/lib/node_modules/yarnpkg/node_modules/request/request.js:969:12)
    at emitNone (events.js:91:20)
    at IncomingMessage.emit (events.js:185:7)
info Visit http://yarnpkg.com/en/docs/cli/outdated for documentation about this command.

[rickhanlonii]

Workaround for now is to remove any scoped packages from package.json and re-run

[djforth]

+1 getting same issue

[jeffcarbs]

FYI: Just installed yarn v0.16.0 which adds support for private/scoped NPM packages and this bug still exists.

Trace: 
  Error: https://registry.yarnpkg.com/@kadira/storybook: Not found
      at Request.params.callback [as _callback] (~/.nvm/versions/node/v6.6.0/lib/node_modules/yarn/lib/util/request-manager.js:294:18)
      at Request.self.callback (~/.nvm/versions/node/v6.6.0/lib/node_modules/yarn/node_modules/request/request.js:187:22)
      at emitTwo (events.js:106:13)
      at Request.emit (events.js:191:7)
      at Request.<anonymous> (~/.nvm/versions/node/v6.6.0/lib/node_modules/yarn/node_modules/request/request.js:1048:10)
      at emitOne (events.js:96:13)
      at Request.emit (events.js:188:7)
      at IncomingMessage.<anonymous> (~/.nvm/versions/node/v6.6.0/lib/node_modules/yarn/node_modules/request/request.js:969:12)
      at emitNone (events.js:91:20)
      at IncomingMessage.emit (events.js:185:7)

[jsynowiec]

#1071 #1276 was not yet merged. The outdated command fails, because yarn is trying to query the registry for @types/<typdef> and the NPM registry returns 404 due to the / character in a scoped package name that needs to be escaped, eg. https://registry.npmjs.org/@types%2Fnode

[jtsom]

FYI.. looks like it's happening (on windows) when doing an yarn install also:

Trace: 
  Error: ENOENT: no such file or directory, open 'C:\Code\ng2testing\node_modules\@types\jasmine\index.d.ts'
      at Error (native)

[samccone]

This is fixed on master 👐

[geovanisouza92]

Just to know, when the next release containing this fix is planned?

[rparree]

I am still seeing this problem

For example with the angular quickstarts:

$ git clone https://github.com/angular/quickstart.git quickstart && cd quickstart
…
$ yarn install
yarn install v0.17.8
info No lockfile found.
[1/4] Resolving packages...
error Couldn't find package "@types/node" on the "npm" registry.
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

I assume the "next release" mentioned in previous post (from Oct 26) has been released. Perhaps it is a regression?

My versions:

$ yarn versions
yarn versions v0.17.8
{ yarn: '0.17.8',
  'angular-quickstart': '1.0.0',
  http_parser: '2.7.0',
  node: '6.9.1',
  v8: '5.1.281.84',
  uv: '1.9.1',
  zlib: '1.2.8',
  ares: '1.10.1-DEV',
  icu: '57.1',
  modules: '48',
  openssl: '1.0.2j' }
Done in 0.06s.

I am on Fedora/25.

[jsynowiec]

@rparree thanks for posting. Try cleaning your caches or reinstall yarn first. I can't reproduce.

$ yarn        
yarn install v0.17.8
info No lockfile found.
[1/4] 🔍  Resolving packages...
warning lite-server > browser-sync > localtunnel > request > tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
warning lite-server > browser-sync > localtunnel > request > node-uuid@1.4.7: use uuid module instead
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
[4/4] 📃  Building fresh packages...
success Saved lockfile.
✨  Done in 31.27s.
$ yarn --version
0.17.8

[rparree]

I tried after cleaning my cache (again), it still doesn't work

rparree at hprp in ~/tmp/quickstart on master
$ yarn cache clean
yarn cache v0.17.8
success Cleared cache.
Done in 41.74s.
rparree at hprp in ~/tmp/quickstart on master
$ yarn 
yarn install v0.17.8
info No lockfile found.
[1/4] Resolving packages...
error Couldn't find package "@types/selenium-webdriver" on the "npm" registry.
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

I am using nvm might that cause a problem?

[jsynowiec]

Are you using some kind of npm proxy or private registry?

[rparree]

no proxy and no private registry. Where could i place some logging to see what he request/response us?

tx.,

[jsynowiec]

Try this https://twitter.com/jasonlaster11/status/798926995405021185 if you want to check the installed version or clone yarn repository, build and attach a debugger.

[rparree]

I'be used betwixt:

Request URL:https://registry.yarnpkg.com/@angular%2fcommon
Request Method:GET
Status Code:401 Unauthorized
Remote Address:104.16.63.173:443

The same request with curl

$ curl -I https://registry.yarnpkg.com/@angular%2fcommon
HTTP/2 200 
date: Fri, 25 Nov 2016 07:06:04 GMT
content-type: application/json
..

I did notice in the request header from yarn there is a authorization header (just obfuscated it below as i don't know what password is being used, seems like a generated one for my username)

accept:application/json
accept-encoding:gzip, deflate
authorization:Basic *****************
connection:close
host:registry.yarnpkg.com
user-agent:yarn/0.17.8 npm/? node/v6.9.1 linux x64

When i tried that with curl:

$ curl -I 'https://registry.yarnpkg.com/@angular%2fcommon' -H 'accept: application/json' -H 'accept-encoding: gzip, deflate' -H 'authorization: Basic ****************' -H 'connection: close' -H 'user-agent: yarn/0.17.8 npm/? node/v6.9.1 linux x64' --compressed
HTTP/2 401 
...

There is no authorisation header on the packages that are not scoped.

[jsynowiec]

This might be a problem with yarn registry. Try setting yarn to use the npm registry directly
yarn config set registry https://registry.npmjs.org

[rparree]

Same problem :(

Why does it only add an authorisation header when the package is scoped?

I noticed that a test fails as well which uses a scoped module:

 FAIL  __tests__/commands/outdated.js
  ● hides when current > latest (next, beta tag)

    Error: couldnt find @wyze/yarn-outdated-next
      
      at src/registries/npm-registry.js:84:15:84:15�[2m

[rparree]

This resolves to true:

this.getScopedOption(registry.replace(/^https?:/, ''), 'always-auth') || this.getOption('always-auth')
      || removePrefix(requestUrl, registry)[0] === '@';

(EDIT: added the whole boolean expression, as my problem is in the last expression)

yarn/src/registries/npm-registry.js

Line 56 in b4e42e3

const alwaysAuth = this.getScopedOption(registry.replace(/^https?:/, ''), 'always-auth')

[jsynowiec]

This should be moved to a separate issue.

[rparree]

see #2030