You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
yarn.lock checksums are calculated based on the hash of the zip files in the cache directory, NOT their contents. This causes issues where if a user has a global .yarnrc.yml with compressionLevel set to something other than the default 0, yarn will always attempt to update the lockfile with all new hashes. This is especially bad in a hypothetical scenario where a developer has compressionLevel set globally and commits their lockfile, then someone tries to use the lockfile with --immutable (say, in a typical distro package build script).
Self-service
Describe the bug
yarn.lock checksums are calculated based on the hash of the zip files in the cache directory, NOT their contents. This causes issues where if a user has a global .yarnrc.yml with compressionLevel set to something other than the default 0, yarn will always attempt to update the lockfile with all new hashes. This is especially bad in a hypothetical scenario where a developer has compressionLevel set globally and commits their lockfile, then someone tries to use the lockfile with --immutable (say, in a typical distro package build script).
To reproduce
Environment
System: OS: Linux 6.6 NixOS 24.05 (Uakari) 24.05 (Uakari) CPU: (12) x64 AMD Ryzen 5 5600X 6-Core Processor Binaries: Node: 20.10.0 - /tmp/xfs-94698436/node Yarn: 4.0.1 - /tmp/xfs-94698436/yarn npmPackages: jest: ^29.5.0 => 29.7.0
Additional context
The text was updated successfully, but these errors were encountered: