yarn installs unpublished npm packages

[jharris4]

Do you want to request a feature or report a bug?
Bug

What is the current behavior?
Yarn installs packages that were unpublished on npm.

If the current behavior is a bug, please provide the steps to reproduce.

I use the node-sass package in one of my projects, and it has a dependency on a package called sass-graph (version ^2.1.1).

The author of sass-graph published version 2.2.0 on npm, but it broke a bunch of things, so he unpublished the package.

Now, if I open an empty repo, and do yarn add sass-graph it correctly goes and gets the latest published package (2.1.2).

But if I then do yarn add node-sass, yarn incorrectly retrieves the unpublished sass-graph version 2.2.0, which is incorrect.

Looking at my yarn.lock files, I see the following when I add the node-sass package:

node-sass@^4.5.2:
  version "4.5.2"
  resolved "https://registry.yarnpkg.com/node-sass/-/node-sass-4.5.2.tgz#4012fa2bd129b1d6365117e88d9da0500d99da64"
  dependencies:
    async-foreach "^0.1.3"
    chalk "^1.1.1"
    cross-spawn "^3.0.0"
    gaze "^1.0.0"
    get-stdin "^4.0.1"
    glob "^7.0.3"
    in-publish "^2.0.0"
    lodash.assign "^4.2.0"
    lodash.clonedeep "^4.3.2"
    lodash.mergewith "^4.6.0"
    meow "^3.7.0"
    mkdirp "^0.5.1"
    nan "^2.3.2"
    node-gyp "^3.3.1"
    npmlog "^4.0.0"
    request "^2.79.0"
    sass-graph "^2.1.1"
    stdout-stream "^1.4.0"

sass-graph@^2.1.1:
  version "2.2.0"
  resolved "https://registry.yarnpkg.com/sass-graph/-/sass-graph-2.2.0.tgz#d59b85d27cab14eacd9946420c6aec617b8da42e"
  dependencies:
    glob "^7.0.0"
    lodash "^4.0.0"
    scss-tokenizer "^0.1.2"
    yargs "^6.6.0"

But when I just add sass-graph by itself, I see:

sass-graph@^2.1.2:
  version "2.1.2"
  resolved "https://registry.yarnpkg.com/sass-graph/-/sass-graph-2.1.2.tgz#965104be23e8103cb7e5f710df65935b317da57b"
  dependencies:
    glob "^7.0.0"
    lodash "^4.0.0"
    yargs "^4.7.1"

I have tried clearing my yarn cache (yarn cache clean) but this didn't help resolve the issue.

Also, running npm install --save node-sass correctly installs sass-graph version 2.1.2, so this bug seems to be specific to yarn, and not npm.

What is the expected behavior?

Unpublished npm packages should not be installed.

Please mention your node.js, yarn and operating system version.
Node 7.9.0
Yarn 0.23.2
MacOS 10.12.4

[bestander]

npm does not remove packages from npm if they are unpublished, they are still available for download.
Anyone has a reliable repro step?

[xzyfer]

The package wasn't unpublished. The latest dist-tag was removed and added to a previous version. Possibly some kind of registry sync lag?

…

On 23 May 2017 4:35 pm, "Konstantin Raev" ***@***.***> wrote: npm does not remove packages from npm if they are unpublished, they are still available for download. Anyone has a reliable repro step? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#3274 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAjZWBbqvgL5BX_RPHOTS_S6sw0b41RSks5r8u69gaJpZM4NL0ig> .

[bestander]

Yes, CDN can have a delay

[jharris4]

Thanks for looking into this issue. The issue persisted for at least 24 hours until the author published a newer version of the sass-graph package, which resolved the problem since yarn then picked up the newer version.

The problem seems to be specific to when yarn installs packages as sub-dependencies vs top-level dependencies. Installing the package directly worked fine, so I doubt it was as simple as a caching issue.

[bestander]

This RFC is related yarnpkg/rfcs#68

…

On 23 May 2017 at 16:06, Jon Harris ***@***.***> wrote: Thanks for looking into this issue. The issue persisted for at least 24 hours until the author published a newer version of the sass-graph package, which resolved the problem since yarn then picked up the newer version. The problem seems to be specific to when yarn installs packages as sub-dependencies vs top-level dependencies. Installing the package directly worked fine, so I doubt it was as simple as a caching issue. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#3274 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACBdWEzy20ckJcogTMOb0Eba425qs3uEks5r8vXbgaJpZM4NL0ig> .

[xzyfer]

That would explain many of the node-sass issues we've seen reported. Node sass is almost always installed as a transient dependency. On 23 May 2017 5:12 pm, "Konstantin Raev" <notifications@github.com> wrote: This RFC is related yarnpkg/rfcs#68

On 23 May 2017 at 16:06, Jon Harris ***@***.***> wrote: Thanks for looking into this issue. The issue persisted for at least 24 hours until the author published a newer version of the sass-graph

package,

which resolved the problem since yarn then picked up the newer version. The problem seems to be specific to when yarn installs packages as sub-dependencies vs top-level dependencies. Installing the package

directly

worked fine, so I doubt it was as simple as a caching issue. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#3274 (comment)>, or

mute

the thread <https://github.com/notifications/unsubscribe-auth/

ACBdWEzy20ckJcogTMOb0Eba425qs3uEks5r8vXbgaJpZM4NL0ig>

.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#3274 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAjZWPVCBU5yqDCl62r0XCxoPO_Zg3R_ks5r8vdVgaJpZM4NL0ig> .

[bestander]

If anyone has some knowledge of how node-sass is installed and wants to help Yarn team to debug the issues with it, that would be awesome!

[xzyfer]

I'm the maintainer, happy to help

…

On 24 May 2017 12:20 pm, "Konstantin Raev" ***@***.***> wrote: If anyone has some knowledge of how node-sass is installed and wants to help Yarn team to debug the issues with it, that would be awesome! — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#3274 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAjZWLoEQmbITKg-PuNcokWS_zzkXSD1ks5r9AR8gaJpZM4NL0ig> .