current position:Home>Yarn. Lock, do you understand?

Yarn. Lock, do you understand?

2021-08-24 01:19:19 Space programming


Have you ever encountered such a scene , After the project is pulled down yarn install Installation dependency ,yarn.lock But it suggests a change , I didn't do anything , Why is this ? But based on past experience ( I've been out case),yarn.lock There should be no diff That's right , There must be something wrong ! however git diff yarn.lock I found myself unable to understand ( I have good food )

Take up a

Restore what I've done Case There was a dependency in the project foo

  • package.json The definition of [email protected]^1.0.1
  • yarn.lock The version in is 1.0.1

classmate A Be responsible for foo The development of this library , After one release , Upgrade this dependency to the project 1.1.0, But when you submit code , Only changed package.json, No updates yarn.lock

Then every time we pull new code and install dependencies , There's always an annoying local yarn.lock File change , Everyone thought that someone forgot to submit when upgrading the dependency yarn.lock So the students B Action :

  • Take a look at it first foo What versions of this library are available now , The latest version is 1.1.2, Follow package.json The definition of ^1.1.0 Two versions are missing , There is no guarantee that 1.1.0, Because every time I go online , Will go to meet ^1.1.0 This version range The latest version in
  • So I went to see the last online build log , Found that the download is 1.1.2
  • So I submitted yarn.lock, Locked the version in 1.1.2

Then one day later , Pull a group

  • 1.1.2 Version has bug, Fixed and released 1.1.3

  • But in the project , because B Locked the version in 1.1.2, lock bug

  • classmate A question B Why lock someone else's version of the library

  • This case Remember a few TODO

    • Because no submission yarn.lock, Uncertain students A It's through yarn upgrade Upgraded version , I changed it manually package.json, therefore —— Don't manually modify package.json Upgraded version
    • After upgrading the dependency , Be sure to submit... At the same time package.json and yarn.lock

About yarn.lock

yarn.lock The role of ?

Lock unique version !

  • package.json What is defined in is the version range , Such as ^1.0.0
  • and yarn.lock Inside version Field is a unique version number , Such as 1.0.0

yarn.lock What does it look like ?

It's all piece by piece , Each piece is about as long as below :

[email protected]^3.0.0:
  version "3.14.0"
  resolved ""
  integrity sha1-tXTavykYRoHVsWNXvTPRBN89KaU=
    browserslist "^4.16.6"
    semver "7.0.0"


First line [email protected]^3.0.0 It depends on identifier. and package.json The corresponding package name and version range in , use @ Connect . The title here has (s), Because of multiple Identifier In the end, they may all point to the same version ( Specific examples can be seen below ### dependencies The example given in )


The second line version Is the actual installed version . It usually satisfies a version in the version range , Like the last line identifier The version range in is ^3.0.0, What is actually installed here is 3.14.0, Meet the requirements . But why say it is “ Usually ” Well , Because there are exceptions , In post script ### resolutions I'll talk about it in part .


The third line resolved Is a link , Is the address to download this package . This url The domain name in the is similar to Configured in the project .npmrc or Your local npm Configured registry of .


In the fourth row integrity It's right resolved Check the integrity of the downloaded files . If appear diff, It indicates that the file corresponding to the same download link has been modified .


The fifth row dependencies It's the package's own dependency . As it depends here browserslist "^4.16.6", Which version do you want to see actually installed , You can spell it into Identifier[email protected]^4.16.6", Take this as the keyword in yarn.lock Mid search , You can find the corresponding “ block ” 了 .

[email protected][email protected]^4.0.0, [email protected]^4.11.1, [email protected]^4.12.0, [email protected]^4.14.5, [email protected]^4.16.0, [email protected]^4.16.6, [email protected]^4.3.6, [email protected]^4.6.2, [email protected]^4.6.4, [email protected]^4.7.2, [email protected]^4.9.1:
  version "4.16.6"
  resolved ""
  integrity sha1-15ASd6WojlVO0wWxg+ybDAj2b6I=
    caniuse-lite "^1.0.30001219"
    colorette "^1.2.2"
    electron-to-chromium "^1.3.723"
    escalade "^3.1.1"
    node-releases "^1.1.71"

The first line of the above example has multiple Identifiers, Finally, it all points to the second line version "4.16.6", You can check 4.16.6 The version meets all the above Identifiers Version range in :4.16.6^4.0.0...

yarn.lock How is it generated ?

yarn.lock It's generated automatically , You shouldn't modify it manually .

Dependency management

For example, our routine operation , Will automatically update package.json and yarn.lock

  • New dependency :yarn add

  • Upgrade dependency :yarn upgrade

For more information

Overbearing resolutions

If your project relies on foo,foo Rely on [email protected]^1.0.0. hypothesis bar Now there are two versions 1.0.0 and 1.1.0. Unfortunately ,bar In the release 1.1.0 I didn't do a good job of backward compatibility . Lead to foo and [email protected] It can't be used together . If you can wait :

  • Or wait foo To rely on bar Lock assembly 1.0.0 And reissue
  • Or wait bar Redistribute after fixing compatibility issues

What if you can't wait , You know foo and [email protected] It works . If you can lock foo Yes bar Just rely on , But this is defined in foo Of packge.json in , You can't change node_modules/foo/package.json Well ? This is not appropriate .`resolutions`[1] Can solve your problem , Just in your own project package.json It defines :

"resolutions": {

there key"foo/bar" Express foo Of Directly dependent on bar, Rewrite the version interval as 1.0.0. If foo Not directly dependent barfoo -> ... -> bar), Do I still need to clear all the links in the middle ? It's not so much trouble !

"resolutions": {

If you have a lot of dependencies in your project, direct / Indirect dependence bar, Each defined version interval may be different , You know a version that makes them all work , Instead of installing multiple versions . You can also not declare the prefix part , Write only the package name bar. So no matter where it depends on bar Will point to which version you declare .

"resolutions": {

perform yarn install after , stay yarn.lock Search inside [email protected]

[email protected]^1.0.0 [email protected] [email protected]^2.0.0:
  version "1.0.0"

You can see ,resolutions Sure Violation Limitation of version interval , For example, in the above example Identifiers Inside [email protected]``[email protected]^2.0.0.

How to avoid problems ?

yarn.lock And package.json No match


Change only package.json, Forget to submit yarn.lock


perform yarn install after ,yarn.lock There are changes

How to solve

  • Solve the person who introduced the problem (PEACE & LOVE)

  • confirm diff And submit the changed yarn.lock

    • Determine which dependencies result diff, And return to related functions ( It's a little expensive , And if the dependencies are complex , It's hard to confirm the influence surface )

    • OR Into the last online version (️ May be live bug)

It can be seen that it is still very difficult to solve the problem again , And there is a certain element of gambling , So we'd better prevent .

How to prevent

Even if the project is good now , Should we also take precautions !

  • Development of students &&CR Check together

  • Block build ( There are several options )

    • advantage : Simple and crude && intuitive ( It won't appear because of the command or There are errors in parameter understanding, resulting in non conformance with expectations )
    • shortcoming : slow ! Low efficiency ! Because the dependencies that need to be updated will also be downloaded , It should have stopped when an update was detected ( At present, I haven't thought of any good way )
    • resolutions Modified version in , No mistake.
    • Classic yarn (version 1) stay package.json Remove dependencies from , No errors reported (v2 Fixed the problem , See
    • `npm ci`[2] And npm install similar , However, in the process of installing dependencies, if package-lock.json Mismatch , Will throw the wrong and exit , Instead of updating lock file

    • `yarn install --frozen-lockfile`[3] Equivalent to npm ci, But several problems were found during the test :

    • yarn install && git diff`--exit-code`[4]yarn.lock Normal execution install Command installation depends on , Re examination lock file Yes no diff

hold lock file Delete , The whole thing is reloaded


When you update a dependency , I found that the project couldn't run , Speculation may be a matter of dependency . Have you ever tried to yarn.lock + node_modules All deleted and reinstalled , If you're lucky, maybe “ The problem is solved ”( It's solved , But it doesn't seem to be completely solved , Anyway, the project is running )


hold yarn.lock After deletion , The locked version has been released , perform yarn install According to package.json The version interval defined in The latest version . therefore , It may cause your unexpected dependencies to be updated , Unfortunately, it may introduce bug.


You can make a dependency alone empty-lock-lock

  • Don't do anything? ( An empty library ), release 1.0.0
  • Define a postinstall Script , Direct throw , release 1.0.1

Install dependencies in the project yarn add [email protected] --dev,yarn.lock The version will be locked as 1.0.0. Then prepare a trap :

  • Manual handle package.json The version in is changed to interval ^1.0.0
  • Manually modify yarn.lock in , hold Identifier Part of the [email protected] Also replace with [email protected]^1.0.0

Submit after modification , You can do it again yarn install To validate the ,yarn.lock No, diff, Prove that we manually modified package.json and yarn.lock Still match Of . Wait for the mouse to take the bait , If you put yarn.lock Delete the whole , Re execution yarn install, The installation to empty-lock-lock When , Will be based on package.json The definition of ^1.0.0 Find the latest version in the version section , This time you will find 1.0.1 edition , Trigger after downloading postinstall It's wrong !

Reference material


Extended reading

  • package.json Various dependencies defined in

Reference material




npm ci:


yarn install --frozen-lockfile:



- END -

Space programming
Share hard core programming knowledge

Share the highlights , Happy on the code .JavaScript It's already in heaven , One day we can program in space ! reply 【pdf】 There are a lot of high-quality e-books for download .

copyright notice
author[Space programming],Please bring the original link to reprint, thank you.

Random recommended