yarn installs incorrect version for typescript, because dist-tag is ignored

[donaldpipowitch]

Do you want to request a feature or report a bug?

bug

What is the current behavior?
If the current behavior is a bug, please provide the steps to reproduce.

You have an empty package.json:

{
  "name": "yarn-test",
  "version": "1.0.0",
  "private": true
}

You run $ yarn add typescript:

yarn add v0.18.0
info No lockfile found.
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
[4/4] 📃  Building fresh packages...
success Saved lockfile.
success Saved 1 new dependency.
└─ typescript@2.0.10
✨  Done in 0.68s.

You now have this package.json:

{
  "name": "yarn-test",
  "version": "1.0.0",
  "private": true,
  "dependencies": {
    "typescript": "^2.0.10"
  }
}

And this yarn.lock:

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


typescript@^2.0.10:
  version "2.0.10"
  resolved "https://registry.yarnpkg.com/typescript/-/typescript-2.0.10.tgz#ccdd4ed86fd5550a407101a0814012e1b3fac3dd"

Now remove the yarn.lock and run $ yarn install.

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


typescript@^2.0.10:
  version "2.1.1"
  resolved "https://registry.yarnpkg.com/typescript/-/typescript-2.1.1.tgz#41c2b64472f529331b2055c0424862b44ce58d42"

Now typescript@2.1.1 was installed which is wrong. The latest version of Typescript is 2.0.10 which was installed in the first run. 2.1.1 is released with an @rc dist-tag.

$ npm i --save typescript@next
└── typescript@2.2.0-dev.20161205

$ npm i --save typescript@rc
└── typescript@2.1.1

$ npm i --save typescript@latest
└── typescript@2.0.10

What is the expected behavior?

Install typescript@2.0.10 again.

Please mention your node.js, yarn and operating system version.

$ node -v
v6.9.1

$ yarn -V
0.18.0

macOS 10.12.1

[cebor]

Any plans when this will be fixed ? I have the same issue with the latest typescript version: #2655

[mdouglass]

Are there any workarounds for this? I'm getting 2.3.0 rc installed for "typescript": "^2.2.1" in my package.json.

[StephenFluin]

Any update on this? This is affecting release of things like Angular. An upcoming release was put on npm with the tag @next but everyone pinned to the major ('^4.0.0') started getting it early.

[cebor]

@StephenFluin Angular should not be affected, because it uses a suffix like -rc.x in its rc releases.

Only repos using normal semver versions and tag these as rc with npm like typescript does are affected.

For Example:

• Angular

// npm info  @angular-core
{
  "dist-tags": {
    "rc": "4.1.0-rc.0",
    "latest": "4.0.0"
  },
  "versions": [
    "4.0.0",
    "4.1.0-rc.0"
  ]
}

yarn add angular-core # installs 4.0.0

• Typescript

// npm info typescript
{
  "dist-tags": {
    "rc": "2.4.0",
    "latest": "2.3.0"
  },
  "versions": [
    "2.3.0",
    "2.4.0"
  ]
}

yarn add typescript # installs 2.4.0, and its wrong - should be 2.3.0

[BruceHubbard]

I just got bit by this today. Is Yarn by design ignoring dist-tags? Or is this a bug to be fixed?

[abdullah-txfusion]

Having the same issue. Installs 5.4.5 when package.json has ^5.2.2.