'yarn install --production' does not install transitive dependencies if listed as devDependencies in the project

[scinos]

Do you want to request a feature or report a bug?
Report a bug

What is the current behavior?

In a project A with a dependency on B and B having a dependency on C, yarn install --production wont install C if C is listed as a devDependency of A. npm does.

If the current behavior is a bug, please provide the steps to reproduce.

1. Create a project with:

{
  "name": "test",
  "version": "1.0.0",
  "dependencies": {
    "sequelize-cli": "^2.5.1"
  },
  "devDependencies": {
    "gulp": "^3.9.1"
  }
}

(note that sequelize-cli has a dependency on gulp:

{
  "dependencies": {
    "gulp": "^3.9.1",
  }
}

2. Run yarn install --production

3. Try to find gulp: ls node_modules/gulp returns nothing.

However, if the package is

{
  "name": "test",
  "version": "1.0.0",
  "dependencies": {
    "sequelize-cli": "^2.5.1"
  }
}

yarn install --production will install gulp

What is the expected behavior?

Transitives production dependencies are always installed, even if the project declares them as devDependencies.

Please mention your node.js, yarn and operating system version.

• node 7.3.0
• yarn 0.21.3
• OSX 10.12.3 (Sierra)

[SimenB]

Is #761 back again?

[razor-x]

Just hit this with yarn 0.21.3. I have a logger package (B) that depends on bunyan (C), but bunyan is a devDependency of the main package (A).

[mapsam]

Also running 0.21.3 and hitting the same issue as @razor-x

[patrickd-]

Same issue here, this just screwed a production build, not good.

[dgaubert]

Same here using --production: main package (A) requires redis-mpool (B) which has redis (C) as dependency and main package (A) also defines redis (C) as devDependency.

[Jolg42]

Same here 😖 with latest 0.21.3 installing a lot of devDependecies...

[SimenB]

Does yarn check --verify-tree report errors?

[mapsam]

@SimenB indeed it does! With the example package.json provided by @scinos above:

yarn check v0.20.3
error "sequelize-cli#gulp" not installed
error "gulp" not installed
error Found 2 errors.

[SimenB]

This is still present in yarn 0.22.0.

Quick one-liner based on OP: yarn init -y && yarn add sequelize-cli && yarn add gulp --dev && yarn --prod && yarn check --verify-tree --prod still gives

yarn check v0.22.0
error "sequelize-cli#gulp" not installed
error Found 1 errors.

@bestander Could you please check this? There's also an open PR for this, I haven't tested it though #2921

The fact that I can't trust --prod erodes my trust in yarn, which is a shame, cuz it's really awesome in so many ways. For now we still install dev dependencies to production to avoid this, which bloats up the image, and slows down the link part of install into a docker container.

EDIT: I tested with 0.23.0, and it actually prints a warning during yarn --prod (#3025). It still fails the check, though.

yarn install v0.23.0
[1/4] Resolving packages...
warning Integrity check: Patterns don't match
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
Done in 2.69s.

Should the yarn --prod command fail at that point?

[bestander]

Yeah, looks like the bug is present there.
warning Integrity check: Patterns don't match means that quick integrity check does not pass and install should proceed.

I'll investigate now.

[bestander]

Apparently the logic here is incorrect https://github.com/yarnpkg/yarn/blob/master/src/package-hoister.js#L147 and does not factor top level devDependencies.
Anyone wants to dig deeper and send a PR?

[blexrob]

@bestander - already did that, see #2921

[bestander]

Awesome, thanks, @blexrob, sorry for missing this.

[ecbrodie]

Just a comment from my point of view, regarding this warning message (as a response to @bestander's comment):

warning Integrity check: Patterns don't match

When I see this after running a yarn install command, I begin to worry that there is either a yarn bug or an issue with one of our yarn files (such as yarn.lock). But rather, hearing that this message signifies a normal use case for yarn (in this case, I am running yarn install because I have not yet installed packages due to a recent yarn.lock or package.json change) is a little confusing. I would expect to receive silent output or non-warning output in the case of an expected use case.

If there is a better medium to provide this feedback (new Github issue?), then please let me know.

[SimenB]

@ecbrodie That's fixed in #3248

[ecbrodie]

@SimenB excellent, thanks for letting me know. Which yarn version will this be released in?

[SimenB]

No idea 😄

[bestander]

It is in master branch right now

So will be released in next branch cut, i.e. 0.24 this Thursday

[artlogic]

I just experienced this issue again using v0.24.5. Has there been a regression?

[bestander]

Please open a new issue with repro steps

…

On Fri, 19 May 2017 at 05:43, James Kruth ***@***.***> wrote: I just experienced this issue again using v0.24.5. Has there been a regression? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2819 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACBdWFGRWr4mfPbySPNiK3W3wcOxc9-Jks5r7R30gaJpZM4MQdaC> .