22

The yarn.lock file saves all the dependencies versions and the hashes of the modules. I know that I can globally disable this hash checking with the option --skip-integrity-check.

We have an internal module that is continually developed. The dependency is really of a snapshot package. When it is updated, it fails in our continuous integration environment because the updated package hash is different of the yarn.lock saved hash.

Is it possible to disable the integrity check just for a specific module?

I'll accept the answer even if it tells how to disable the check for all the modules of a specific registry.

Update: My problem is that my continuous integration server job is breaking when the dependency is updated, even if there's no modification in my code. These are spurious failings and I want to stop them.

Update 2: The accepted solution is really a hack to solve a problem in a usual development workflow. There is an issue open for Yarn in GitHub to fix this problem.

Mateusz Piotrowski
  • 8,029
  • 10
  • 53
  • 79
neves
  • 33,186
  • 27
  • 159
  • 192
  • Instead of disabling integrity check, could you not run `yarn upgrade ` to synchronise your lockfile to the latest available module snapshot? –  Apr 18 '18 at 20:14
  • @mrblewog: I've changed the question to make it clearer. The problem is my continuous integration server. – neves Apr 19 '18 at 20:21
  • Noted - and I don’t know the answer I’m afraid! –  Apr 19 '18 at 20:23

2 Answers2

22

Instead of running 

yarn install

You should run it like below

yarn add <specificpackage>@^<versions> --update-checksums
yarn install

This will make sure that the yarn.lock is updated with latest hash for that package and then yarn install will install the rest of the packages with integrity check

Update-1: 20-April

Another possible options is to use the preinstall hook. There are few things you can try here. You can try updating the package. But be aware that launching the yarn command again in preinstall can cause infinite loops.

So better way may be to run a grep, awk or a sed command and get ride of the package entry in the yarn.lock file. This will make sure the yarn install command has no information on the hash and a mismatch can't occur

If you don't want to use awk, sed or grep because of windows compatibility then you should just write a simple nodejs script to get rid of the package from the yarn.lock file. This will cross-os compatible. Below code shows how to do the same

yarn_remove_hash.js

const fs = require('fs')

const content = fs.readFileSync("yarn.lock", "utf-8");
const packageToDelete = "yallist"

let lines = content.split("\n")

for (let [i, line] of Object.entries(lines)) {
    if (line.startsWith(packageToDelete + "@")) {
        lines[i]="";
        let y = i;
        while (lines[++y][0] ==" "){
            lines[y]= ""
        }
    }
}

fs.writeFileSync("yarn.lock", lines.join("\n"))

And you will update your scripts section in package.json like below

...
"preinstall": "node yarn_remove_hash.js"
...
Tarun Lalwani
  • 142,312
  • 9
  • 204
  • 265
  • 1
    I want it to stop checking the check sum. This will fix it once, but when the package is updated (it is a package in development), it will fail again. I want to prevent the need to update the hash sum everytime so my continous integration won't fail. – neves Apr 19 '18 at 20:15
  • Doesn't the CI checkout the package and always do a fresh install? – Tarun Lalwani Apr 19 '18 at 20:18
  • yes, but the yarn.lock file becomes inconsistent with the dependency package in your nexus repository. So it fails. @Tarun Lalwani – neves Apr 19 '18 at 20:26
  • Please join [this](https://chat.stackoverflow.com/rooms/169375/discussion-for-49501749-yarn-is-it-possible-to-ignore-the-dependency-hash-validat) chat room – Tarun Lalwani Apr 19 '18 at 20:28
  • 1
    I need to run `node yarn_remove_hash.js` separately because yarn reads the yarn.lock file before running the preinstall script. – originof Nov 29 '18 at 10:25
  • 1
    Node v12 works as is. Node v16 seems to keep the first load of `yarn.lock` in memory throughout the hooks, so further modifications aren't naturally seen by Yarn. However, if you update it to be `"preinstall": "node yarn_remove_hash.js && yarn install --ignore-scripts"`, it seems to load the modified `yarn.lock` into memory and in my case was able to continue as expected. I couldn't find a more specialized command to do the same unfortunately. – Kerry Johnson Jun 15 '21 at 18:12
1

If you want to make @Tarun Lalwani's --update-checksums more of a transparent process for you and others, you can add the following to .yarnrc:

--install.update-checksums true

Now when a user runs yarn install it will also update checksums implicitly. This was needed for me because one of my dependencies is linked to a snapshot .tar.gz that changes and NPM/Yarn would assume that it wouldn't, obviously leading us to this integrity issue. I had to move away from NPM because of this and also tried the preinstall hook (I thought I was clever but I guess you guys did the same). At least Yarn has an option around this. Tarun's updated answer did not work for me either because yarn.lock is checked against before any hooks are ran.

Kerry Johnson
  • 842
  • 9
  • 16