BUG: Yarn resolves dependency version incorrectly

[alexk-z]

Yarn version used: 1.10.1

Current behavior:
Using this package.json - yarn resolves "xmldom" dependency to have version 0.1.27:
{
"name": "yarn-repro",
"version": "1.0.0",
"main": "index.js",
"license": "MIT",
"dependencies": {
"docxtemplater-link-module": "0.2.4"
},
"devDependencies": {
"electron-builder": "^20.28.4"
}
}

Expected behavior:
"xmldom" has the version 0.1.22, since "docxtemplater-link-module" asks for exact version 0.1.22 and in fact breaks with 0.1.27. "plist" asks for non-exact version 0.1.x. So I would expect yarn to resolve this to 0.1.22.

In fact when "plist" specified instead of "electron-builder" - then version of "xmldom" becomes 0.1.22 again.

This is very confusing and looks to me like a bug. The whole point we rely on yarn instead of npm is to avoid issues like this one =)

P.S. Node version: 8.11.1, OS: Win 10

[rally25rs]

If I install this in a clean directory, I get:

~/Projects/yarn-test 🐒   yarn
yarn install v1.10.1
info No lockfile found.
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
[4/4] 📃  Building fresh packages...

success Saved lockfile.
✨  Done in 13.26s.

~/Projects/yarn-test 🐒   yarn why xmldom
yarn why v1.10.1
[1/4] 🤔  Why do we have the module "xmldom"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "xmldom@0.1.22"
info Reasons this module exists
   - "docxtemplater-link-module" depends on it
   - Hoisted from "docxtemplater-link-module#xmldom"
info Disk size without dependencies: "100KB"
info Disk size with unique dependencies: "100KB"
info Disk size with transitive dependencies: "100KB"
info Number of shared dependencies: 0
=> Found "plist#xmldom@0.1.27"
info This module exists because "electron-builder#app-builder-lib#plist" depends on it.
info Disk size without dependencies: "104KB"
info Disk size with unique dependencies: "104KB"
info Disk size with transitive dependencies: "104KB"
info Number of shared dependencies: 0
✨  Done in 0.22s.

~/Projects/yarn-test 🐒   grep version node_modules/xmldom/package.json
  "version": "0.1.22",

~/Projects/yarn-test 🐒   grep version node_modules/plist/node_modules/xmldom/package.json
  "version": "0.1.27",

~/Projects/yarn-test 🐒   grep "\"xmldom\":" `find . -name package.json`
./node_modules/docxtemplater-link-module/package.json:    "xmldom": "0.1.22"
./node_modules/plist/package.json:    "xmldom": "0.1.x"

So, docxtemplater-link-module requires xmldom@0.1.22 and so yarn put that version in place and it was hoisted to the root node_modules/xmldom

plist requires xmldom@0.1.x which resolved to what I'm guessing is the latest in that range, 0.1.27, which was put in plist/node_modules/xmldom

That seems correct, in that both these modules have their dependencies fulfilled.

[alexk-z]

Please use this package.json (removed ^ from electron-builder). Then xmldom becomes of the version 0.1.27 which leads to problems.

{
"name": "yarn-repro",
"version": "1.0.0",
"main": "index.js",
"license": "MIT",
"dependencies": {
    "docxtemplater-link-module": "0.2.4"
  },
"devDependencies": {
    "electron-builder": "20.28.4"
  }
}