Yarn install ignores lockfile

[alanondra]

Do you want to request a feature or report a bug?
bug

What is the current behavior?
When running yarn install it ignores the lockfile entirely and updates all packages.

What is the expected behavior?
Installing only the versions of packages listed in the lockfile. Since there is no documentation on forcing it to abide I hoped this was the expected default behavior.

Please mention your node.js, yarn and operating system version.
Yarn v0.23.2
Windows 7 x64

[arcanis]

I can't reproduce this behavior:

YARN=yarn
ISSUE=3241

rm -rf /tmp/yarn-issue-$ISSUE
mkdir -p /tmp/yarn-issue-$ISSUE
cd /tmp/yarn-issue-$ISSUE

printf '{ "license": "MIT", "dependencies": { "left-pad": "^1.1.0" } }' > package.json
printf 'left-pad@^1.1.0:\n  version "1.1.0"\n  resolved "https://registry.yarnpkg.com/left-pad/-/left-pad-1.1.0.tgz"\n' > yarn.lock

$YARN install |:
$YARN list

rm -rf /tmp/yarn-issue-$ISSUE
mkdir -p /tmp/yarn-issue-$ISSUE
cd /tmp/yarn-issue-$ISSUE

printf '{ "licensde": "MIT", "dependencies": { "left-pad": "^1.1.0" } }' > package.json
printf 'left-pad@^1.1.0:\n  version "1.1.1"\n  resolved "https://registry.yarnpkg.com/left-pad/-/left-pad-1.1.1.tgz"\n' > yarn.lock

$YARN install |:
$YARN list

printf '{ "license": "MIT", "dependencies": { "left-pad": "^1.1.0", "right-pad": "^1.0.0" } }' > package.json

$YARN install |:
$YARN list

[alanondra]

I don't know what else there is to really tell except it installed different versions of packages than what's defined in the lockfile and then updated the lockfile. The package cross-env for example was at v3.2.3 but was updated to the broken v4.0.0.

[arcanis]

Can you update the script I provided above so that we can reproduce the issue on our side? Without repro, we won't be able to do much.

[OmerHerera]

Is this the same issue I open here
I think is duplicated.
Thanks

[rally25rs]

The only way I've come close to reproducing this is if I edit my package.json file then re-run yarn install.

For example:

• yarn add jest@18.0.0 -- instals 18.0.0
• edit package.json, change to ^18.0.0
• yarn install -- isntalls 18.1.0 and updates lock file

But that scenario makes sense because the "key" into the lock file is the package name and version:

babel-jest@^18.0.0: ...

So changing the version range in the package.json would make it no longer find the entry in the lockfile.

It is unclear what @alanondra did to produce this error though.

@bestander Without reproduction steps, I suggest we close this issue for now, or mark it as a duplicate of #3252 until repro steps are added.

[alanondra]

I was working on a project some months ago and had to step away while I built a new computer. When I came back to the project I cloned my repository and just ran yarn install to fetch the packages. I've only been using Yarn to manage my dependencies. I haven't been altering the package.json or yarn.lock files by hand at all so that I could avoid any potential issues like this.

I'll try to post the package.json and yarn.lock files where the issue comes up later today.