yarn install && yarn install --frozen-lockfile fails in v1.1.0

[rarkins]

Do you want to request a feature or report a bug?

bug

What is the current behavior?

mkdir yarnfail && cd yarnfail
wget https://raw.githubusercontent.com/singapore/renovate/5e3c56a399bad4d5fecb60b084b0cd88478c4b79/package.json
yarn install
yarn install --frozen-lockfile

The last command will fail with:

warning Lockfile has incorrect entry for "[email protected]". Ignoring it.
warning Lockfile has incorrect entry for "[email protected]". Ignoring it.
warning Lockfile has incorrect entry for "semver@~5.4.1". Ignoring it.
warning Lockfile has incorrect entry for "semver@~5.3.0". Ignoring it.
warning Lockfile has incorrect entry for "semver@^5.1.0". Ignoring it.
warning Lockfile has incorrect entry for "semver@^5.4.1". Ignoring it.
warning Lockfile has incorrect entry for "semver@^5.3.0". Ignoring it.
warning Lockfile has incorrect entry for "semver@^5.0.3". Ignoring it.
warning Lockfile has incorrect entry for "[email protected]". Ignoring it.
warning Lockfile has incorrect entry for "semver@^5.0.1". Ignoring it.
warning Lockfile has incorrect entry for "semver@^5.2.0". Ignoring it.
warning Lockfile has incorrect entry for "semver@~5.0.1". Ignoring it.
error Your lockfile needs to be updated, but yarn was run with `--frozen-lockfile`.

If you just run yarn install instead, you will get a lockfile with quite a few diffs.

Important: does not happen in yarn v1.0.2

What is the expected behavior?

The yarn.lock generated at step 2 should not fail yarn install --frozen-lockfile

Please mention your node.js, yarn and operating system version.

yarn v1.1.0, tested on both Ubuntu 16.04 and OSX Sierra

Note: This package renovate is a tool for updating package.json dependencies using either npm or yarn, so includes them both as dependencies. However I have tested removing both npm and yarn as dependencies and still get the same failure.

[rarkins]

I thought this might be to do with all the semver warnings, so tested by pinning semver version 5.4.1 using resolutions. yarn still errors.

Here is a diff between yarn.lock.1 generated from scratch and yarn.lock generated after:

1219c1219
< debuglog@*, debuglog@^1.0.1:
---
> debuglog@^1.0.1:
2326c2326
< imurmurhash@*, imurmurhash@^0.1.4:
---
> imurmurhash@^0.1.4:
3118,3121d3117
< lodash._baseindexof@*:
<   version "3.1.0"
<   resolved "https://registry.yarnpkg.com/lodash._baseindexof/-/lodash._baseindexof-3.1.0.tgz#fe52b53a1c6761e42618d654e4a25789ed61822c"
<
3137c3133
< lodash._bindcallback@*, lodash._bindcallback@^3.0.0:
---
> lodash._bindcallback@^3.0.0:
3141,3144d3136
< lodash._cacheindexof@*:
<   version "3.0.2"
<   resolved "https://registry.yarnpkg.com/lodash._cacheindexof/-/lodash._cacheindexof-3.0.2.tgz#3dc69ac82498d2ee5e3ce56091bafd2adc7bde92"
<
3153,3158d3144
< lodash._createcache@*:
<   version "3.1.2"
<   resolved "https://registry.yarnpkg.com/lodash._createcache/-/lodash._createcache-3.1.2.tgz#56d6a064017625e79ebca6b8018e17440bdcf093"
<   dependencies:
<     lodash._getnative "^3.0.0"
<
3163c3149
< lodash._getnative@*, lodash._getnative@^3.0.0:
---
> lodash._getnative@^3.0.0:
3257c3243
< lodash.restparam@*, lodash.restparam@^3.0.0:
---
> lodash.restparam@^3.0.0:
3517c3503
< [email protected], [email protected], "moment@>= 2.9.0", moment@^2.10.6:
---
> [email protected], "moment@>= 2.9.0", moment@^2.10.6:
3520a3507,3510
> [email protected]:
>   version "2.18.1"
>   resolved "https://registry.yarnpkg.com/moment/-/moment-2.18.1.tgz#c36193dd3ce1c2eed2adb7c802dbbc77a81b1c0f"
>
4427c4417
< readdir-scoped-modules@*, readdir-scoped-modules@^1.0.0:
---
> readdir-scoped-modules@^1.0.0:
5378c5368
< validate-npm-package-license@*, validate-npm-package-license@^3.0.1:
---
> validate-npm-package-license@^3.0.1:

[rarkins]

Here's a diff comparing the v1.0.2 and v1.1.0 lockfiles. Both were generated from scratch with no existing yarn.lock or node_modules:

3517c3517
< [email protected]:
---
> [email protected], [email protected], "moment@>= 2.9.0", moment@^2.10.6:
3521,3524d3520
< [email protected], "moment@>= 2.9.0", moment@^2.10.6:
<   version "2.18.1"
<   resolved "https://registry.yarnpkg.com/moment/-/moment-2.18.1.tgz#c36193dd3ce1c2eed2adb7c802dbbc77a81b1c0f"
<
4797,4801c4793
< "semver@2 >=2.2.1 || 3.x || 4 || 5", "semver@2 || 3 || 4 || 5", "[email protected] || 3.x || 4 || 5", [email protected], "semver@^2.3.0 || 3.x || 4 || 5", semver@^5.0.1, semver@^5.0.3, semver@^5.1.0, semver@^5.2.0, semver@^5.3.0, semver@^5.4.1, semver@~5.4.1:
<   version "5.4.1"
<   resolved "https://registry.yarnpkg.com/semver/-/semver-5.4.1.tgz#e059c09d8571f0540823733433505d3a2f00b18e"
<
< "semver@2 || 3 || 4":
---
> "semver@2 >=2.2.1 || 3.x || 4 || 5", "semver@2 || 3 || 4", "semver@2 || 3 || 4 || 5", "[email protected] || 3.x || 4 || 5", [email protected], [email protected], "semver@^2.3.0 || 3.x || 4 || 5", semver@^5.0.1, semver@^5.0.3, semver@^5.1.0, semver@^5.2.0, semver@^5.3.0, semver@^5.4.1, semver@~5.0.1, semver@~5.3.0, semver@~5.4.1:
4805,4812d4796
< [email protected], semver@~5.3.0:
<   version "5.3.0"
<   resolved "https://registry.yarnpkg.com/semver/-/semver-5.3.0.tgz#9b2ce5d3de02d17c6012ad326aa6b4d0cf54f94f"
<
< semver@~5.0.1:
<   version "5.0.3"
<   resolved "https://registry.yarnpkg.com/semver/-/semver-5.0.3.tgz#77466de589cd5d3c95f138aa78bc569a3cb5d27a"
<

[rarkins]

@BYK do you think this is also a duplicate of #4550 ?

[rarkins]

I can confirm this is fixed in yarn 1.2.0