Why is my yarn.lock file changing when running yarn install after incrementing version in package.json?

Asked 31/7, 2019 at 17:34 Answered 25/1, 2022 at 10:45

I have read through the documentation on yarn commands and yarn.lock, and I was led to believe that the whole point of a yarn.lock file was to use the version specified in that file.

What I was curious about was: when is the version specified in yarn.lock actually used? I manually changed the version of a package in package.json, and reran yarn install, and the yarn.lock file was updated to use the new version. I thought it would be locked, so that it didn't matter what new version was specified in package.json, as long as the yarn.lock specified a version for that package, it would use that older version.

If this is how yarn.lock is supposed to work, then why not just specify the EXACT version in package.json, instead of using the ~ or ^ in front of the version numbers. Right now I have to do this in order to not change the yarn.lock file when running yarn install anyway.

So when is the locked version actually being used/is this the correct way of using yarn.lock?

Telemeter answered 31/7, 2019 at 17:34 Comment(0)

-1

If you change the dependency version in the package.json, the lock file will be updated to reflect that. The purpose of the lock file is two fold. One, to allow you (and your peers) to use the dependencies' versions which you know will work and have been tested for. And two, for dependency authors to specify what versions the dependencies of your dependencies to use. The goal is stability here.

If you want to play around and see the purpose of the lock file, create a your own npm module and push it to the npm registry with v1.0.0. Then in your project, add this module as a dependency with something like "myModule": "1.x.x". If you were to install your modules now, you would have "myModule v1.0.0", and your lock file would reflect this.

Now update your module to v1.1.0, and install your modules again. At this point, if you didn't have a lock file, you would get "myModule v1.1.0"., but because the lock file is like a snapshot of what your dependency tree should look like, you will stick with "myModule v1.0.0". Of course if you delete the lock file, a new one would be generated with "myModule v1.1.0". Likewise, updating your package.json would also update the lock file.

Note, the example I gave is for npm and not yarn, but the concept is the same.

Dorkas answered 31/7, 2019 at 20:30 Comment(2)

The thing is that currently yarn install will indeed change yarn.lock even if you don't touch your package.json. Just saw this happening when moving from Node.js 13 over to 14. – Gossipmonger 27/4, 2020 at 14:8

but you're not telling him/her anything new. this @Dorkas is claiming that yarn install still overwrites his current version. – Impressionist 11/2, 2021 at 18:53

-1

There's a lenghty discussion on github issues here. TLDR; The problem seems to be fixed in modern yarn.

Tirrell answered 25/1, 2022 at 10:45 Comment(1)

IMO it's still there, and is masked by pinning the yarn version, which is done by default and in templates (CRA,...). – Gearing 1/2, 2023 at 7:57

Recommended topics

Hot tags