An unexpected error occurred: "https://registry.yarnpkg.com/flatmap-stream/-/flatmap-stream-0.1.1.tgz: Request failed \"404 Not Found\"".

[Neal85]

yarn install v1.9.4
Do you want to request a feature or report a bug?

bug
What is the current behavior?

If the current behavior is a bug, please provide the steps to reproduce.

What is the expected behavior?

Please mention your node.js, yarn and operating system version.
FROM mhart/alpine-node:10

[claudiocabral]

This is not a yarn bug, it's due to the removal of the malicious code in the flatmap package used to steal bitcoin funds from Copay wallets. The fix is to find any packages that depend on event-stream and update them. In my case it was nodemon, and the most recent update removes the event-stream dependency.
https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/

[GreenAsJade]

Isn't it a bug if the package manager gets an "unexpected error" when a dependency can't be met?

I thought it is yarn's job to find dependencies that need to be updated and... update them?

[claudiocabral]

Yarn doesn't update anything implicitly to avoid breaking your code with un unexpected update.
This specific case is unnusual because the dependency was mailicous code that was removed from yarn-registry.
I do agree that they should handle the error a bit better and improve the error message, but I think that discussion deserves to be done on a new topic. A feel that yarn errors often tend to be cryptic, and that could definetly be improved.

[GreenAsJade]

It's proving tough to find out what needs to be updated :(

[claudiocabral]

well, it can be a bit more complicated then that :(
I regexped my way to it using vim and found nodemon as having added event-stream, which is the package that was infected. Updatin nodemon then solved it because nodemon itself had already removed the dependency.

If the package you depend on has not been updated yet, you'll need to either remove it or create an issue for it on github hoping it gets fixed

[GreenAsJade]

Actually, should have thought of simple things first. I blew everything away (node modules and yarn lock) and it reinstalled clean :)

[chihab]

yarn --no-lockfile fixes my CI.
I had the issue on my netlify build, I've added an environment variable named YARN_FLAGS and have set it to --no-lockfile. Just a workaround though, corrupted dependency should be fixed/updated

[Neal85]

I upgrade the "geoip-lite": "^1.3.3" to 1.3.5, and I removed the event-stream, it is worked. Thanks.

[heymartinadams]

Since yarn global wasn’t working for me (the infected packages had been installed globally), I was unable to yarn global remove the affected packages, so I had to remove them manually. In case it helps others, here are my steps:

1. Go into yarn global folder: cd ~/.config/yarn/global/ (or wherever yarn global lives)
2. Search for flatmap- in current folder: grep -R flatmap-* ./
3. Manually and recursively remove all folders that contain it, e.g.: rm -rf ./node_modules/flatmap-stream ./node_modules/event-stream, etc.
4. Remove yarn lockfile: rm yarn.lock
5. Rebuilt yarn by typing a command, e.g. yarn global list — so yarn global should work now.

[zeroidentidad]

in my case was fixed as @chihab said ✌️