Menu
The yarn.lock file saves all the dependencies versions and the hashes of the modules. I know that I can globally disable this hash checking with the option --skip-integrity-check.
We have an internal module that is continually developed. The dependency is really of a snapshot package. When it is updated, it fails in our continuous integration environment because the updated package hash is different of the yarn.lock saved hash.
Is it possible to disable the integrity check just for a specific module?
I'll accept the answer even if it tells how to disable the check for all the modules of a specific registry.
Update: My problem is that my continuous integration server job is breaking when the dependency is updated, even if there's no modification in my code. These are spurious failings and I want to stop them.
Update 2: The accepted solution is really a hack to solve a problem in a usual development workflow. There is an issue open for Yarn in GitHub to fix this problem.
494
The `package-lock. json` file was introduced in npm version 5 to solve this problem. It is a generated file and is not designed to be manually edited.
The package-lock. json file stores the version information of each installed package unchanged, and npm will use those package versions when running the npm install command.
lockfileVersion. An integer version, starting at 1 with the version number of this document whose semantics were used when generating this package-lock. json . Note that the file format changed significantly in npm v7 to track information that would have otherwise required looking in node_modules or the npm registry.
The package-lock. json file lists your application's dependencies and the dependencies of all its dependencies. In other words, it describes which version of every single package you have installed. That's why it's so much longer than package.
Instead of running
yarn install
You should run it like below
yarn add <specificpackage>@^<versions> --update-checksums
yarn install
This will make sure that the yarn.lock is updated with latest hash for that package and then yarn install will install the rest of the packages with integrity check
Update-1: 20-April
Another possible options is to use the preinstall hook. There are few things you can try here. You can try updating the package. But be aware that launching the yarn command again in preinstall can cause infinite loops.
So better way may be to run a grep, awk or a sed command and get ride of the package entry in the yarn.lock file. This will make sure the yarn install command has no information on the hash and a mismatch can't occur
If you don't want to use awk, sed or grep because of windows compatibility then you should just write a simple nodejs script to get rid of the package from the yarn.lock file. This will cross-os compatible. Below code shows how to do the same
yarn_remove_hash.js
const fs = require('fs')
const content = fs.readFileSync("yarn.lock", "utf-8");
const packageToDelete = "yallist"
let lines = content.split("\n")
for (let [i, line] of Object.entries(lines)) {
if (line.startsWith(packageToDelete + "@")) {
lines[i]="";
let y = i;
while (lines[++y][0] ==" "){
lines[y]= ""
}
}
}
fs.writeFileSync("yarn.lock", lines.join("\n"))
And you will update your scripts section in package.json like below
...
"preinstall": "node yarn_remove_hash.js"
...
If you want to make @Tarun Lalwani's --update-checksums more of a transparent process for you and others, you can add the following to .yarnrc:
--install.update-checksums true
Now when a user runs yarn install it will also update checksums implicitly. This was needed for me because one of my dependencies is linked to a snapshot .tar.gz that changes and NPM/Yarn would assume that it wouldn't, obviously leading us to this integrity issue. I had to move away from NPM because of this and also tried the preinstall hook (I thought I was clever but I guess you guys did the same).
At least Yarn has an option around this. Tarun's updated answer did not work for me either because yarn.lock is checked against before any hooks are ran.
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
