Skip to content

OpenGG/yarn-lock-resolved-override-registry

BranchesTags

Repository files navigation

yarn-lock-resolved-override-registry

Showcase where resolved in yarn.lock overrides registry config

The lock files and resolved

The dependency information inside yarn.lock and package-lock.json/npm-shrinkwrap.json is almost the same: version, resolved and integrity (Yarn merges integrity into resolved).

# yarn.lock

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


lodash.isarray@^4.0.0:
  version "4.0.0"
  resolved "https://127.0.0.1:1/lodash.isarray/-/lodash.isarray-4.0.0.tgz#2aca496b28c4ca6d726715313590c02e6ea34403"
// package-lock.json
{
  "name": "yarn-lock-resolved-override-registry",
  "version": "1.0.0",
  "lockfileVersion": 1,
  "dependencies": {
    "lodash.isarray": {
      "version": "4.0.0",
      "resolved": "https://127.0.0.1:1/lodash.isarray/-/lodash.isarray-4.0.0.tgz",
      "integrity": "sha1-KspJayjEym1yZxUxNZDALm6jRAM="
    }
  }
}

The resolved field contains host, indicating where package managers should look for dependencies.

But there are cases where it would break things:

  • The host in resolved may not be accessible, e.g. internal enterprise networks and CI environments.
  • The host in resolved may not be desirable, e.g. users with slow networks prefer a registry mirror.

Yarn behavior (until v0.24.6)

  • When yarn.lock exists, Yarn install command will always try to access resolved url, ignoring registry in .yarnrc.
  • When the host inside resolved is not accessible, Yarn install command will fail.
  • The only way for users to override the host in resolved is modifying the lock files.

NPM behavior (until v5.0.1)

  • When package-lock.json/npm-shrinkwrap.json exists, NPM install command will prefer registry in .npmrc, ignoring host of resolved.

The demo

To see how Yarn and NPM behaviors deffer, you can clone this project and run both install scripts.

git clone https://github.com/OpenGG/yarn-lock-resolved-override-registry.git

cd yarn-lock-resolved-override-registry

./script-npm.sh  # install by NPM with cache disabled

./script-yarn.sh  # install by Yarn with cache disabled

The proposal

For Yarn team

Personally I suggest Yarn to take the NPM behavior, or Yarn can at lease offer user a cli option to override the host in resolved.

For Yarn users

If this is a problem, and you want Yarn to use another registry host instead of the one in resolved, there is a temporary solution: replacing registry host in yarn.lock.

sed -i .bak 's#https://registry.yarnpkg.com#https://registry-yours#g' yarn.lock

Yarn will only use the top-level yarn.lock file and will ignore any yarn.lock files that exist within dependencies.

About

Showcase where resolved in yarn.lock overrides registry config

Resources

Readme

License

GPL-3.0 license
Activity

Stars

2 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages