yarn installs unpublished npm packages #3274
Labels
Comments
jharris4
changed the title
jharris4
changed the title
|
npm does not remove packages from npm if they are unpublished, they are still available for download. |
|
The package wasn't unpublished. The latest dist-tag was removed and added
to a previous version. Possibly some kind of registry sync lag?
…On 23 May 2017 4:35 pm, "Konstantin Raev" ***@***.***> wrote:
npm does not remove packages from npm if they are unpublished, they are
still available for download.
Anyone has a reliable repro step?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#3274 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAjZWBbqvgL5BX_RPHOTS_S6sw0b41RSks5r8u69gaJpZM4NL0ig>
.
|
|
Yes, CDN can have a delay |
|
Thanks for looking into this issue. The issue persisted for at least 24 hours until the author published a newer version of the sass-graph package, which resolved the problem since yarn then picked up the newer version. The problem seems to be specific to when yarn installs packages as sub-dependencies vs top-level dependencies. Installing the package directly worked fine, so I doubt it was as simple as a caching issue. |
|
This RFC is related yarnpkg/rfcs#68
…On 23 May 2017 at 16:06, Jon Harris ***@***.***> wrote:
Thanks for looking into this issue. The issue persisted for at least 24
hours until the author published a newer version of the sass-graph package,
which resolved the problem since yarn then picked up the newer version.
The problem seems to be specific to when yarn installs packages as
sub-dependencies vs top-level dependencies. Installing the package directly
worked fine, so I doubt it was as simple as a caching issue.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#3274 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ACBdWEzy20ckJcogTMOb0Eba425qs3uEks5r8vXbgaJpZM4NL0ig>
.
|
|
That would explain many of the node-sass issues we've seen reported. Node
sass is almost always installed as a transient dependency.
On 23 May 2017 5:12 pm, "Konstantin Raev" <[email protected]> wrote:
This RFC is related yarnpkg/rfcs#68
On 23 May 2017 at 16:06, Jon Harris ***@***.***> wrote:
Thanks for looking into this issue. The issue persisted for at least 24
hours until the author published a newer version of the sass-graph
package,
which resolved the problem since yarn then picked up the newer version.
The problem seems to be specific to when yarn installs packages as
sub-dependencies vs top-level dependencies. Installing the package
directly
worked fine, so I doubt it was as simple as a caching issue.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#3274 (comment)>, or
mute
ACBdWEzy20ckJcogTMOb0Eba425qs3uEks5r8vXbgaJpZM4NL0ig>
.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#3274 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAjZWPVCBU5yqDCl62r0XCxoPO_Zg3R_ks5r8vdVgaJpZM4NL0ig>
.
|
|
If anyone has some knowledge of how node-sass is installed and wants to help Yarn team to debug the issues with it, that would be awesome! |
|
I'm the maintainer, happy to help
…On 24 May 2017 12:20 pm, "Konstantin Raev" ***@***.***> wrote:
If anyone has some knowledge of how node-sass is installed and wants to
help Yarn team to debug the issues with it, that would be awesome!
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#3274 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAjZWLoEQmbITKg-PuNcokWS_zzkXSD1ks5r9AR8gaJpZM4NL0ig>
.
|
|
That is awesome, @xzyfer, I've linked you in another issue. |
|
Closing due to inactivity. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Do you want to request a feature or report a bug?
Bug
What is the current behavior?
Yarn installs packages that were unpublished on npm.
If the current behavior is a bug, please provide the steps to reproduce.
I use the
node-sasspackage in one of my projects, and it has a dependency on a package calledsass-graph(version ^2.1.1).The author of
sass-graphpublished version 2.2.0 on npm, but it broke a bunch of things, so he unpublished the package.Now, if I open an empty repo, and do
yarn add sass-graphit correctly goes and gets the latest published package (2.1.2).But if I then do
yarn add node-sass, yarn incorrectly retrieves the unpublishedsass-graphversion 2.2.0, which is incorrect.Looking at my yarn.lock files, I see the following when I add the node-sass package:
But when I just add sass-graph by itself, I see:
I have tried clearing my yarn cache (
yarn cache clean) but this didn't help resolve the issue.Also, running
npm install --save node-sasscorrectly installssass-graphversion 2.1.2, so this bug seems to be specific to yarn, and not npm.What is the expected behavior?
Unpublished npm packages should not be installed.
Please mention your node.js, yarn and operating system version.
Node 7.9.0
Yarn 0.23.2
MacOS 10.12.4
The text was updated successfully, but these errors were encountered: