Yarn Import now uses Package-lock.json

Forwarded from: Https://yarnpkg.com/blog/2018/06/04/yarn-import-package-lock/?utm_source=tuicool&utm_medium=referral

Posted June 4, 2018 by Aram Drevekenin

for a while now, the JavaScript ecosystem is a host to a few different dependency lock file formats including yarn ' s   yarn.lock   and NPM ' s   package-lock.json .

We are quite excited to announce, as of 1.7.0 yarn is able to import its Dependenc Y tree from NPM ' s package-lock.json natively, without external tools or clunky processes.

This would no doubt come as great news for developers working in mixed npm/yarn environments or wanting to try yarn out on Existing projects.

all you need to does is issue the   Yarn import   command in a repository with a   package-lock.json file, and yarn would use the resolution information from the existing   package-lock.json   file and a corresponding   yarn.lock   file would be created.

This feature is one of the first fruits of a continuing collaboration between the maintainers of the. We feel strongly about the both tools being aware of each other and providing a easy transition path between them. If you is interested or want to help, head over to the related GitHub issue.

How does it work under the hood

Previously, yarn import would rely on a package ' s node_modules directory to determine the fixed ver Sions to which the new Yarn.lock file needs to resolve its semver ranges. Now, the It falls back to this behaviour if it cannot find a package-lock.json file.

When it does, yarn creates a dependency tree using Npm-logical-tree From the package.json and package-lock.json In the project ' s root directory. It then uses the fixed versions in so tree to create its own yarn.lock Lockfile. The resulting yarn.lock 'll has all the exact fixed versions specified in package-lock.json. Ready to being installed and committed in your repository.

Limitations

the, lockfile formats and contents are Different. Each has their own priorities,   guarantees and trade-offs in terms of determinism, consistency and more. Since   yarn.lock   chooses only to store the logical dependency tree, preferring to future-proof for Pote Ntial physical tree and hoisting optimizations, there is certain nuances that   package-lock.json   expresses that   yarn.lock cannot.

One example would be:

// package-lock.json (slightly simplified for clarity){  "name": "nuanced-dependency-tree",  "dependencies": {    "a": {      "version": "9.9.9",      "requires": {        "c": "^1.0.0"      },      "dependencies": {        "c": {          "version": "1.0.1"        }      }    },    "b": {      "version": "8.8.8",      "requires": {        "c": "^1.0.0"      }    },    "c": {      "version": "1.0.5"    }  }}

Here, we have both packages a and b which require the same semver range of package c: ^1.0.0 and get different versions: 1.0.1 and 1.0.5 respectively.

This would is imported to yarn as:

// yarn.lock (slightly simplified for clarity)[email protected]  version "9.9.9"  dependencies:    c "^1.0.0"[email protected]  version "8.8.8"  dependencies:    c "^1.0.0"[email protected]^1.0.0  version "1.0.5"

Here b' s dependency c Would change it locked version from 1.0.1 To 1.0.5 Because yarn.lock Cannot express this duplication. Yarn chooses and aims to has a single resolved version for all compatible version ranges. While in the most cases such minor changes should is not having much effect-we encourage you to use this feature with care. Can still override ranges if you need to, using The selective version resolutions feature in yarn.

Future plans

Currently, we ' re planning to add some warnings to users who use both yarn and npm I n the same repository to install packages. If there ' s a need, we might also try to expand the feature to other lock file formats. If you ' d like-to-point-out other issues of interoperability, or try your hand at fixing them-we encourage you to file an issue or better, fix one by sending a PR.

We highly recommend you to delete package-lock.json the File If you decide to use yarn in order to avoid the future confusion and possible consistency issues.

Yarn Import now uses Package-lock.json