-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Yarn --production tries to resolve devDeps as well #3630
Comments
This happens because Yarn needs to consider the devDependencies so that it can produce a deterministic build between prod and dev builds (packages will be hoisted to the same locations). |
Not sure I got it... lets consider two situations:
Will there be the difference in |
Actually, I think this is related to my another problem #1379 |
Possibly. Consider something like:
And
With devDependencies, the dependency tree is:
so A@1 can not longer be hoisted to top level, resulting in:
Without devDependencies, the dependency tree is:
But
(This is non-deterministic because B@1 could end up in 2 different paths; either in What Yarn wants to do for a deterministic build is to make sure that B@1.0.0 is installed to the same location every time, so a
I hope that makes sense :) Basically all the devDependencies are built into the dependency tree when figuring out where to hoist packages to, and calculating that dependency tree needs the metadata for all those packages. |
@Diokuz I haven't tried it myself, but you might see if NPM5 has the same issue. If I understand the NPM5 lockfile correctly, I think it saves the resolved / hoisted position for each package in their lockfile (Yarn does not), so it might not need to query the metadata for your private repos. As much as I hate to steer anyone toward NPM, this might be a case where NPM5 works better. It's worth a test anyway! You might also be able to solve this using the Yarn offline mirror, since the metadata and package would be saved there and shouldn't have to query the actual server. However that might have other security concerns for you, since a copy of your private repo code would be in that mirror directory. |
@rally25rs thank you so much for explanation! So, I think I get my answer. The only question now: will that be done in near future? I mean, saving positions in lock file. |
It's not only a question of position. Let's say you have this package.json: {
"dependencies": {
"a": "^1.0.0"
},
"devDependencies": {
"b": "^1.0.0"
}
} And that the following are true:
If we don't resolve devDependencies, then in prod we'll have the following:
And in dev, because of the deduplication optimization, we'll have the following:
Note that we end up using a different version of |
Now that I think about this, maybe in practice it could work, since the lockfile would still pin the version - at least assuming that this lockfile has been generated in dev mode. Still, I'm not convinced this is an issue worth fixing right now. I feel like this is something that could probably be better solved through your build environment. |
Well, we have solved our problem via Anyway, thanks for answers) |
@arcanis We don't control the build environment. For example I am using Netlify which does not have access to private dependencies through github (not npm private registry, so I can't do something like Edit: Just tested npm5. It does not need to resolve devDependencies |
I love Yarn but this has repeatedly been raised as an issue since last year and is always closed. Surely this is a common use case to have access to different packages in production and development? My own situation is that I'm using a private Git dependency in development and in CI/production I am using a private module hosted on NPM. I don't want to give my CI system or production systems access to GitHub - Yarn should not require access to that dependency. If NPM can figure out a solution that works, so can Yarn. For now I am going to have to switch back to NPM. |
Hey, bumping into this issue at well.
How to reproduce:
|
Have any of you tried using |
Just tried, doesn't seem to work. |
That PR has been closed without merging, any idea when a new one might make it onto the schedule? |
The thing is, we still need those An alternative would be to use the offline mirror feature that would include the dev dependency packages or, their stripped-down versions which only contains the package.json files. @olingern's suggestion also sounds good but I don't know what the implications for that are. @kaylieEB, @arcanis, @bestander - any thoughts? |
This is still an issue, and can even stop the installation when a dev dependency fails to resolve (e.g. Repro:
Which ends up with:
|
I ran into this in a similar scenario. My build server has an old version of node which isn't compatible with eslint 5 (which is a devDependency), but
|
@mkopinsky This doesn't have anything to do with I would recommend being consistent, though. https://yarnpkg.com/lang/en/docs/package-json/#toc-engines From the docs:
|
I'm not sure we're understanding each other. eslint's engine constraint is totally fine. My issue is that I wouldn't expect the engine constraint of a dev dependency to block a production install. |
I think this is purely subjective and doesn't take the overall architecture in mind. I'm tempted to close as wontfix. |
Giving it a second thought the problem you mention is a bug, @mkopinsky, but it's a different topic than what is discussed in this thread. You should open a new issue. |
I ran into an issue related to this, since yarn tries to resolve devDependencies when installing in production it fails when the devDependency is not resolvable. This happens if the devDeps are part of a unpublished mono-repo but aren't needed anymore after the compilation is done and a package published. I second a vote for embedding this information in the yarn.lock file so devDeps are required to be resolvable. |
This is a really big problem when deploying to Heroku because bundle size is capped at 500mo max and some devDependencies are really big.. Can we get rid of the devDependencies installation ? |
The issue is not installing
This should already be the case for the initial creation of the lock file. After that, you can run Yarn with |
@BYK |
@BYK By "it is merely resolving them" do you mean it is "adding them to node_modules"? If you don't mean that, then this flag doesn't work at all (v1.21.1) |
Very puzzled, the packages appearing in dependencies and devDependencies should be unique. |
Resolving means reading their
It does since we have tests for this behavior. It maybe getting overridden by your environment variables or something else. |
Temporary fixes (deleting all the dev dependencies from package.json): jq 'del(.devDependencies)' package.json > package.json.tmp && mv package.json.tmp package.json
&& yarn install --prod --frozen-lockfile (requires installing or awk '/},/ { p = 0 } { if (!p) { print $0 } } /"devDependencies":/ { p = 1 }' package.json > package.json.tmp && mv package.json.tmp package.json
&& yarn install --prod --frozen-lockfile |
Use of Tested with yarn 1.17.3 |
@dvdotsenko At least not if a dev dependency points to an external Git repo... Yarn wants to fetch the remote repo when I run |
I know this issue is old, but as this isn't resolved and my specific case isn't mentioned I thought I'd chip in. The project I work on is a js monorepo using Firebase (Firestore, functions, hosting, etc). We've defined During deploy Obviously we could use one of the work arounds mentioned here (copy/link/embed the files, use NPM5, etc) but they are all work arounds involving extra work and are less than ideal. |
This is not fixed for yarn I am using For now I have a workaround, thanks to @NotWearingPants #3630 (comment) |
This is also not fixed in 1.22.17. |
Really, no solution after 6 years? This is a real problem :( |
I'm running into this too, running |
Do you want to request a feature or report a bug?
This is a bug, or unexpected behaviour.
What is the current behavior?
package.json
which havedevDependencies
and one of them are privateyarn --production
To fix that I need additional workaround with authToken (the problem arises in docker build process).
What is the expected behavior?
Yarn should only resolve production packages when
--production
flag exposed.Please mention your node.js, yarn and operating system version.
The text was updated successfully, but these errors were encountered: