Yarn v1.10.x does not respect .npmrc and does package lookup from registry.yarnpkg.com instead

[raido]

Do you want to request a feature or report a bug?

What is the current behavior?

Instead of looking up package from local npm registry for example, Yarn tries to lookup package from "registry.yarnpkg.com"

If the current behavior is a bug, please provide the steps to reproduce.

Just upgrade from v1.9.4 and it breaks.

What is the expected behavior?

Yarn would lookup packages from the registry defined in .npmrc.

Please mention your node.js, yarn and operating system version.

macOS Mojave,
Node v8.11.x
Yarn v1.10.x

[ajvengo]

Same problem on Ubuntu 18.04, node 8.11.4, yarn 1.10.1.
Worked fine with yarn 1.9.4

[breunigs]

Hm, we're seeing a similar problem: updating the lockfile with yarn install and the .npmrc present provides the correct URLs in the lockfile. Then, running on the CI with just the yarn.lock (and packages.json) it tries to load from yarnpkg.com. Copying the .npmrc into the container solves the issue. Bisecting the issue on master gives me this commit: a7334da

[JSFernandes]

I'm encountering the same issue on Ubuntu 16.04, node 8.11.4, yarn 1.10.1.

Somehow, I'm not encountering the issue on macOS High Sierra version 10.13.6, with the same version of node and yarn, so it might be more complicated.

EDIT:

My situation is completely in line to what @breunigs is experiencing, as yarn install is successful locally, but fails in my CI build to which we don't copy the .npmrc file. This worked successfully with yarn 1.9.4.

Moreover, if I perform a yarn install with yarn 1.10.1, which adds the integrity to the yarn.lock file, the CI build passes. I assume that when yarn 1.10.1 doesn't see the integrity in the yarn.lock it tries to re-fetch the assets, which obviously without the .npmrc. Does this seem like it could be the case?

[mmaceachran]

I have the same setup as ajvengo, and I have the same issue. I tried the 1.11.x release candidate and that also has the issue.

[rdadoune]

We're having a similar issue with our builds at work with yarn version 1.10.1. We don't use a .npmrc and we never needed to in the past. Previously yarn install would respect the yarn.lock file and download from whatever registry the lock file stipulated for each package. But now, yarn install fails because yarn is looking for all of our private packages in wrong registry i.e. https://registry.yarnpkg.com/.

[rarkins]

@rdadoune if you don't have a registry instruction in .npmrc then how did you get a non-default registry into yarn.lock in the first place? e.g. do you have it in .yarnrc instead, or did you edit the yarn.lock by hand?

[rdadoune]

I actually just set it via the global config i.e. yarn config set registry <private reg>. Additionally I believe you can use the --registry flag when you add to set it on a per module basis.

[arcanis]

Hey, sorry about this 🙁

The 1.12 release will disable the automatic integrity migration by default (meaning that we won't add it anymore if it's missing), which will help. Note that it will be re-enabled at the next major release (Yarn 2.0), so we recommend you to enable it manually in order to migrate your lockfile when you have some time (documentation will be ready at the same time as the 1.12 reaches stable).

Also note that using --offline on your CI prevents the migration from happening, even now, and is traditionally what we recommend you to use on CI anyway (since CIs are prone to break because of network constraints).