Is it possible to ignore the dependency hash validation of just one module (or registry)?

Question

The yarn.lock file saves all the dependencies versions and the hashes of the modules. I know that I can globally disable this hash checking with the option --skip-integrity-check.

We have an internal module that is continually developed. The dependency is really of a snapshot package. When it is updated, it fails in our continuous integration environment because the updated package hash is different of the yarn.lock saved hash.

Is it possible to disable the integrity check just for a specific module?

I'll accept the answer even if it tells how to disable the check for all the modules of a specific registry.

Update: My problem is that my continuous integration server job is breaking when the dependency is updated, even if there's no modification in my code. These are spurious failings and I want to stop them.

Update 2: The accepted solution is really a hack to solve a problem in a usual development workflow. There is an issue open for Yarn in GitHub to fix this problem.

Answer 1

Instead of running

yarn install

You should run it like below

yarn add <specificpackage>@^<versions> --update-checksums
yarn install

This will make sure that the yarn.lock is updated with latest hash for that package and then yarn install will install the rest of the packages with integrity check

Update-1: 20-April

Another possible options is to use the preinstall hook. There are few things you can try here. You can try updating the package. But be aware that launching the yarn command again in preinstall can cause infinite loops.

So better way may be to run a grep, awk or a sed command and get ride of the package entry in the yarn.lock file. This will make sure the yarn install command has no information on the hash and a mismatch can't occur

If you don't want to use awk, sed or grep because of windows compatibility then you should just write a simple nodejs script to get rid of the package from the yarn.lock file. This will cross-os compatible. Below code shows how to do the same

yarn_remove_hash.js

const fs = require('fs')

const content = fs.readFileSync("yarn.lock", "utf-8");
const packageToDelete = "yallist"

let lines = content.split("\n")

for (let [i, line] of Object.entries(lines)) {
    if (line.startsWith(packageToDelete + "@")) {
        lines[i]="";
        let y = i;
        while (lines[++y][0] ==" "){
            lines[y]= ""
        }
    }
}

fs.writeFileSync("yarn.lock", lines.join("\n"))

And you will update your scripts section in package.json like below

...
"preinstall": "node yarn_remove_hash.js"
...

Answer 2

If you want to make @Tarun Lalwani's --update-checksums more of a transparent process for you and others, you can add the following to .yarnrc:

--install.update-checksums true

Now when a user runs yarn install it will also update checksums implicitly. This was needed for me because one of my dependencies is linked to a snapshot .tar.gz that changes and NPM/Yarn would assume that it wouldn't, obviously leading us to this integrity issue. I had to move away from NPM because of this and also tried the preinstall hook (I thought I was clever but I guess you guys did the same). At least Yarn has an option around this. Tarun's updated answer did not work for me either because yarn.lock is checked against before any hooks are ran.