Git Product home page Git Product logo

yarn-deduplicate's Introduction

yarn-deduplicate

Cleans up yarn.lock by removing duplicates.

Builds: Node.js CI

This package only works with Yarn v1. Yarn v2 supports package deduplication natively!

A duplicate package is when two dependencies are resolved to a different version, even when a single version matches the range specified in the dependencies. See the Deduplication strategies section for a few examples.

Installation

Install the package globally:

npm install -g yarn-deduplicate

or

yarn global add yarn-deduplicate

This package also works wth npx, so you don't need to install it. For example, to recreate the most common scenario below with npx, run:

npx yarn-deduplicate yarn.lock

Usage

The most common scenario is to run

yarn-deduplicate yarn.lock

This will use the default strategy to remove duplicated packages in yarn.lock.

If you do not specify the yarn.lock path, it defaults to yarn.lock.

Check all available options with:

yarn-deduplicate --help

Duplicated packages

yarn.lock contains a list of all the dependencies required by your project (including transitive dependencies), and the actual package version installed to satisfy those dependencies.

For the context of this project, a "duplicated package" is a package that appears on multiple nodes of the dependency tree with overlapping version ranges but resolved to different versions.

For example, imagine that your project directly depends on lodash and babel, and babel depends on lodash as well. Specifically, your project depends on lodash@^1.0.0 and babel depends on lodash@^1.1.0. Because how the resolution algorithm works in Yarn, you might end up with two different copies of lodash (for example, version 1.0.1 and 1.2.0) in your project, even when 1.2.0 will suffice to satisfy both requirements for lodash. That's a "duplicated package".

It is important to note that we do not consider duplicated packages when the version ranges don't overlap. For example, if your project depends on underscore@^1.0.0 and underscore@^2.0.0. Your project will end up with two versions of underscore, and yarn-deduplicate won't change that.

When using yarn-deduplicate remember that it will change your dependency tree. There are certain code paths that now will run with a different set of dependencies. It is highly recommended that you review each change to yarn.lock. If the change is too big, use the flag --packages to deduplicate them gradually.

Why is this necessary?

Yarn documentation seems to suggest this package shouldn't be necessary. For example, in https://classic.yarnpkg.com/en/docs/cli/dedupe/, it says

The dedupe command isn’t necessary. yarn install will already dedupe.

This is, however, not exactly true. There are cases where yarn will not deduplicate existing packages. For example, this scenario:

  • Install libA. It depends on libB ^1.1.0. At this point, the latest version of libB is 1.1.2, so it gets installed as a transitive dependency in your repo

  • After a few days, install libC. It also depends on libB ^1.1.0. But this time, the latest libB version is 1.1.3.

In the above scenario, you'll end up with [email protected] and [email protected] in your repo.

Find more examples in:

Deduplication strategies

--strategy <strategy>

highest will try to use the highest installed version. For example, with the following yarn.lock:

library@^1.1.0:
  version "1.2.0"

library@^1.2.0:
  version "1.2.0"

library@^1.3.0:
  version "1.3.0"

It will deduplicate library@^1.1.0 and library@^1.2.0 to 1.3.0

fewer will try to minimize the number of installed versions by trying to deduplicate to the version that satisfies most of the ranges first. For example, with the following yarn.lock:

library@*:
  version "2.0.0"

library@>=1.1.0:
  version "3.0.0"

library@^1.2.0:
  version "1.2.0"

It will deduplicate library@* and library@>=1.1.0 to 1.2.0.

Note that this may cause some packages to be downgraded. Be sure to check the changelogs between all versions and understand the consequences of that downgrade. If unsure, don't use this strategy.

It is not recommended to use different strategies for different packages. There is no guarantee that the strategy will be honored in subsequent runs of yarn-deduplicate unless the same set of flags is specified again.

Progressive deduplication

--packages <package1> <package2> <packageN>

Receives a list of packages to deduplicate. It will ignore any other duplicated package not in the list. This option is recommended when the number of duplicated packages in yarn.lock is too big to be easily reviewed by a human. This will allow for a more controlled and progressive deduplication of yarn.lock.

--scopes <scope1> <scope2> <scopeN>

Receives a list of scopes to deduplicate. It will ignore any other duplicated package not in the list. This option is recommended when deduplicating a large number of inter-dependent packages from a single scope, such as @babel. This will allow for a more controlled and progressive deduplication of yarn.lock without specifying each package individually.

Excluding packages

--exclude <package1> <package2> <packageN

--exclude-scopes <scope1> <scope2> <scopeN>

With these commands you can exclude certain packages/scopes from the deduplication process. This is specially useful if you want to apply a different strategy for a scope, for example.

Pre-release versions

By default, yarn-deduplicate will only match pre-release versions if they share they share the same major, minor and patch versions (example: ^1.2.3-alpha.1 and 1.2.3-alpha.2 can be deduplicated, but ^1.2.3 and 1.2.4-alpha.1 can't). This matches the behaviour of semver.

To change this behaviour you can use the flag --includePrerelease. This will treat all pre-release versionas as if they were normal versions (^1.2.3 and 1.2.4-alpha.1 can be deduplicated).

Usage in CI

This tool can be used as part of a CI workflow. Adding the flag --fail will force the process to exit with status 1 if there are duplicated packages. Example:

# Print the list of duplicated packages and exit with status 1
yarn-deduplicate --list --fail

# Deduplicate yarn.lock and exit with status 1 if changes were required
yarn-deduplicate --fail

Migration guide

From 2.x to 3.x

In this version we have adopted variadic arguments from commander.js. These are the equivalent commands:

#Old
yarn-deduplicate --packages libA,libB
yarn-deduplicate --scopes @scopeA,@scopeB
yarn-deduplicate --exclude libA,libB

#New
yarn-deduplicate --packages libA libB
yarn-deduplicate --scopes @scopeA @scopeB
yarn-deduplicate --exclude libA libB

A consequence of this change is that if you were using one or more of the affected options ( --packages, --scopes or --exclude) and a custom path for yarn.lock, you need to use -- to "stop" package/scope/exclude parsing:

yarn-deduplicate --packages libA libB -- path/to/yarn.lock

From 0.x to 1.x

In this version we have renamed the project and refactored the CLI. These are the equivalent commands:

Installation

# Old
npm install -g yarn-tools

# New
npm install -g yarn-deduplicate

List duplicates

# Old
yarn-tools list-duplicates path/to/yarn.lock

# New
yarn-deduplicate --list path/to/yarn.lock

Deduplicate yarn.lock

# Old
yarn-tools fix-duplicates path/to/yarn.lock > tmp
mv tmp path/to/yarn.lock

# New
yarn-deduplicate path/to/yarn.lock

Limit packages to deduplicate yarn.lock

# Old
yarn-tools fix-duplicates path/to/yarn.lock package1 package2


# New
yarn-deduplicate --packages package1,package2 path/to/yarn.lock

License

Copyright (c) 2022 Sergio Cinos and others. Apache 2.0 licensed, see LICENSE.txt file.

yarn-deduplicate's People

Contributors

alonski avatar bj00rn avatar bluelovers avatar chetangoti avatar chinesedfan avatar dependabot[bot] avatar felipemsantana avatar friederbluemle avatar gfx avatar gorakong avatar hawkrives avatar jacobblomgren avatar joge97 avatar karlhorky avatar kerumen avatar kubajastrz avatar leipert avatar lukebatchelor avatar marcodejongh avatar mikegreiling avatar mxmul avatar pioluk avatar psimyn avatar renovate[bot] avatar rjatkins avatar scinos avatar sgomes avatar shingyx avatar sventschui avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

lukebatchelor felipemsantana shingyx psimyn kerumen alexthemark joge97 torifat actuallyacat mikegreiling alonski chinesedfan bluelovers jacobblomgren wessamsaeid tutorial-example proghaj olssonemil bassamghanoum corporate-brick luffare0 awesome-brick bj00rn cianixru tianyanqiu arnoandaivengo sgomes ken0x0a bnaya nthachus friederbluemle chetangoti vikash-kothary isabella232 immense055 kybj77218914meizi persianyagami90xs sventschui theoton pombredanne classicvalues repl-anand-tiwari ddzz adarshkonchady thatsmydoing damevin olivierkamers ilrilan skred bob-wise0 christophehurpeau atlassian-forks eranturgeman kalashnikovtv

yarn-deduplicate's Issues

Issues with yarn 2

After running yarn-deduplicate yarn.lock I get an error:
SyntaxError: Unknown token: { line: 3, col: 2, type: 'INVALID', value: undefined } 3:2 in lockfile
I found on forums that its probably because of yarn 2.
Can anyone help?

Strategy that prefers "primary" version (specified in package.json)

Our desired deduplication strategy is for dependencies to use the "primary" version when possible (the one specified in package.json), rather than highest or fewer.

Problem

When using highest, when packages have loosely specified dependencies, introducing a new version into the tree (but not as the "primary") causes these packages to get upgraded to the newest version. This is not always desired, and can cause version mismatch issues.

For example, many packages allow @types/node: * or similarly loose versions. We specify a version of @types/node that ~aligns with the version of node we are using. But when we install/upgrade a package that asks for a higher version of @types/node, yarn-deduplicate then forces most of our other packages to use this new version, which is not what we want. At the moment, we get around this by excluding @types/node, but this is not ideal because we do want to deduplicate it.

Possible Solutions

  1. A new option called --preferPrimary or something like that. This would add a new rule that prefers the primary version where possible, and otherwise falls back to the --strategy.
  2. Similar, but implement as --strategy=primary. However, this might be a bit unclear as to what if falls back to, and not as flexible.

I'd be happy to try to draft a PR if maintainers are open to it!

List remaining duplicate packages

Some items can only be deduplicated if you choose to relax a different requirement manually (if you have a pinned version somewhere). It would be nice if this tool could list the packages that are currently not duplicated, because going through the lock file manually is of course tedious

warning " > [email protected]" has unmet peer dependency "yarn@^1.0.0".

At GitLab we're using yarn-deduplicate as a dev dependency and any time we run yarn install we're presented with:

warning " > [email protected]" has unmet peer dependency "yarn@^1.0.0".

I'm not really sure why yarn is itself a dependency of yarn-deduplicate. We have yarn installed globally and it doesn't live in node_modules, so there doesn't seem to be a good way to resolve this warning. I'm wondering why this peerDependency is necessary in the first place. It seems all of your required libs are found in @yarnpkg/lockfile.

Enable CircleCI for PRs

By default, CircleCI does not build PRs from forked repositories. To change this setting, go to the Advanced Settings of your project and set the Build forked pull requests option to On.

See CircleCI docs. And maybe you will also like Only build pull requests.

Update to yarn-tools versus a new package

Hi there, big fan of yarn-tools, and I suppose its successor, yarn-deduplicate

Out of curiosity, why was this not released as a new major version of yarn-tools to reflect the API breaks? Is it simply because of a reduction in planned scope of the original yarn-tools?

Thanks!

Lower tslib dependency

Could you lower tslib "^2.4.0" to tslib@^2, so (ironically) adding yarn-deduplicate to yarn.lock wouldn't add another entry to yarn.lock because some packages have tslib@~2.0.1 dependency:

βœ–  grep ^tslib yarn.lock
tslib@^1, tslib@^1.10.0, tslib@^1.8.1, tslib@^1.9.0, tslib@^1.9.3:
tslib@^2, tslib@^2.0.0, tslib@^2.0.1, tslib@^2.0.3, tslib@^2.1.0, tslib@^2.4.0:
tslib@~2.0.1:
tslib@~2.1.0:
tslib@~2.2.0:
tslib@~2.3.0:

Document why this is necessary

This thing works, but reading the Yarn documentation seems to suggest it shouldn't be necessary. I've tracked a few issues in the Yarn repo that suggest potential root causes, but I'm sure the authors of this package would be in a better position to explain it πŸ˜„

yarn-deduplicate not recognized

On windows 10 in VSCode project terminal:

After yarn global install yarn-deduplicate and VS restart, in console I get:

yarn-deduplicate is not recognized as an internal or external command, operable program or batch file

Diagnosis for dependencies with non-overlapping versions

The readme states, "it is important to note that we do not consider duplicated packages when the version ranges don't overlap."

However, diagnosis of this would be a useful feature. In big open-source monorepos, over time a lot of duplicate dependencies accumulate. Having a list of those, to then manually check and de-duplicate, would be great!

Not aggregating when specific "version" property is differently setted

Let's say I have this yarn.lock:

schema-utils@^3.0.0:
  version "3.0.0"

schema-utils@^3.1.0:
  version "3.1.0"

schema-utils@^3.1.1:
  version "3.1.1"

If I use yarn-deduplicate, it returns schema-utils@^3.0.0, schema-utils@^3.1.0, schema-utils@^3.1.1:, which is exactly what I wanted.

Now let's say I have this yarn.lock:

schema-utils@^3.0.0:
  version "3.1.1"

schema-utils@^3.1.0:
  version "3.1.1"

schema-utils@^3.1.1:
  version "3.1.1"

If I use yarn-deduplicate, it doesn't returns schema-utils@^3.0.0, schema-utils@^3.1.0, schema-utils@^3.1.1:, but I thought it should return it. Did I understand it incorrectly?

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

  • Update dependency eslint-config-prettier to ^8.10.0
  • Update dependency node to v14.21.3
  • Update Yarn to v4
  • Update actions/checkout action to v4
  • Update actions/setup-node action to v4
  • Update dependency @release-it/keep-a-changelog to v5
  • Update dependency @tsconfig/node12 to v12
  • Update dependency commander to v12
  • Update dependency eslint to v9
  • Update dependency eslint-config-prettier to v9
  • Update dependency eslint-plugin-jest to v28
  • Update dependency eslint-plugin-prettier to v5
  • Update dependency node to v20
  • Update dependency prettier to v3
  • Update dependency release-it to v17
  • πŸ” Create all rate-limited PRs at once πŸ”

Other Branches

These updates are pending. To force PRs open, click the checkbox below.

  • Update dependency semver to v7.5.2 [SECURITY]

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

github-actions
.github/workflows/node.js.yml
  • actions/checkout v3
  • actions/setup-node v3
npm
package.json
  • @yarnpkg/lockfile ^1.1.0
  • commander ^10.0.1
  • semver ^7.5.0
  • tslib ^2.5.0
  • @babel/core ^7.21.8
  • @babel/preset-env ^7.21.5
  • @babel/preset-typescript ^7.21.5
  • @release-it/keep-a-changelog ^3.1.0
  • @tsconfig/node12 ^1.0.11
  • @types/jest ^29.5.1
  • @types/semver ^7.5.0
  • @types/yarnpkg__lockfile ^1.1.5
  • eslint ^8.38.0
  • eslint-config-prettier ^8.8.0
  • eslint-plugin-jest ^27.2.1
  • eslint-plugin-md ^1.0.19
  • eslint-plugin-prettier ^4.2.1
  • jest ^29.5.0
  • outdent ^0.8.0
  • prettier ^2.8.8
  • release-it ^15.10.3
  • typescript ^5.0.4
  • node >=v14
  • yarn 3.5.1
nvm
.nvmrc
  • node 14
  • Check this box to trigger a request for Renovate to run again on this repository

No binaries in the package

Originally reported by David Matas (Bitbucket: davidmatas, GitHub: davidmatas)

Hi, I'm trying to install yarn-tools but it seems there isn't binary in the package:

❯ yarn global add yarn-tools
yarn global v0.27.5
warning package.json: No license field
warning No license field
[1/4] Resolving packages...
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
warning "[email protected]" has no binaries
warning No license field
Done in 1.94s.

So, I can't found it in the path:

zsh: command not found: yarn-tools

yarn-deduplicate: command not found

Node version : 15.14.0
Yarn version : 1.22.5

I have duplicates in my yarn.lock file

I have installed yarn-deduplicate using

yarn global add yarn-deduplicate

But, when running the command yarn-deduplicate,

I am getting this

image

Give a friendlier message for --fail --list

Thanks for setting up this great library!

Here's an example in CI of a failure:

$ yarn-deduplicate --fail --list
Package "@assemblyscript/loader" wants ^0.10.1 and could get 0.10.2, but got 0.10.1
error Command failed with exit code 1.

The error message doesn't indicate what someone should do to resolve it (npx deduplicate). Would you accept a PR that adds a friendly message if --fail and --list are provided?

$ yarn-deduplicate --fail --list
Package "@assemblyscript/loader" wants ^0.10.1 and could get 0.10.2, but got 0.10.1
Run `npx yarn-deduplicate` to deduplicate yarn.lock entries
error Command failed with exit code 1.

Support yarn berry

Hello,

It seems yarn 2 still needs this. I started working on a version that only supports yarn berry: https://github.com/christophehurpeau/yarn-deduplicate/tree/wip-berry

My findings are:

  • use of @yarnpkg/parsers instead of @yarnpkg/lockfile. It also means that the packages are not split automaticly like it was the case in @yarnpkg/lockfile, so merging has to be handled manually
  • there is a new information before the version (I called it source, but not sure if it's the right name). In my lockfiles, it's almost awlays npm, except for different versions of resolve, like resolve@^1.10.0 and other patched versions of resolve, like resolve@patch:resolve@^1.10.0#builtin<compat/resolve>

Do you plan to work on a berry version ?

failed to deduplicate http url versions

image

eslint-plugin-mdx@^1.12.0:
  version "1.12.0"
  resolved "https://registry.yarnpkg.com/eslint-plugin-mdx/-/eslint-plugin-mdx-1.12.0.tgz#7d8a722eb6cd97f3d81aa02fb3430f5fe17c1797"
  integrity sha512-d+vmIyyoDvRjQ0XGZ1v9DtnEk79dUOK+LzHoDGlBvtQHjlMyHl54Mw4EblX3d3nysyLss3+1V0SOrj+e9F+lNQ==
  dependencies:
    cosmiconfig "^7.0.0"
    eslint-mdx "^1.12.0"
    remark-mdx "^1.6.22"
    remark-parse "^8.0.3"
    remark-stringify "^8.1.1"
    tslib "^2.1.0"
    unified "^9.2.1"
    vfile "^4.2.1"

"eslint-plugin-mdx@https://pkg.csb.dev/mdx-js/eslint-mdx/commit/6a3b2aa4/eslint-plugin-mdx":
  version "1.12.0"
  resolved "https://pkg.csb.dev/mdx-js/eslint-mdx/commit/6a3b2aa4/eslint-plugin-mdx#3e16a11e9ae1231d374ff3c60c0dc6af3dcbb09a"
  dependencies:
    cosmiconfig "^7.0.0"
    eslint-mdx "https://pkg.csb.dev/mdx-js/eslint-mdx/commit/6a3b2aa4/eslint-mdx"
    eslint-plugin-markdown "^2.1.0"
    remark-mdx "^1.6.22"
    remark-parse "^8.0.3"
    remark-stringify "^8.1.1"
    synckit "^0.1.5"
    tslib "^2.2.0"
    unified "^9.2.1"
    vfile "^4.2.1"

"eslint-plugin-mdx": "https://pkg.csb.dev/mdx-js/eslint-mdx/commit/6a3b2aa4/eslint-plugin-mdx" is used in package.json, and the normal one is installed by a (dev) dependency.

It should consider dep in package.json with higher priority, and deduplicate them.

Add support for node@6 again

Problem

I tried to introduce yarn-deduplicate as a dev dependency to use it in a CI script: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/21591

We are also checking our asset compilation pipeline to not break on node@6, because it is still LTS and supported until March 2019. The engine >= 8.0 specification in the package.json breaks those tests. For example: https://gitlab.com/gitlab-org/gitlab-ce/-/jobs/132836273

Solution

After looking at the code base, the only thing which uses features of node >= 8.0, are the tests with async/await. The actual CLI works fine for node@6, I tested it locally.

This MR adds E2E to the circle CI config, that run the CLI on a higher level and ensure that there is no funny exit code. It also sets the engine to >= 6.0

Add TypeScript types

It would be handy to have TypeScript definitions for this package. I'm using it as a library so that I can test that my yarn.lock does not have duplicates. I'm basically just running listDuplicates and ensuring it's length is 0.

scheduler not deduplicated when it should be

Run yarn install with the following package.json:

{
  "name": "test_scheduler",
  "dependencies": {
    "react-dom": "~16.12.0",
    "enzyme-adapter-react-16": "~1.15.2"
  }
}

And then run yarn -s fewer yarn.lock and then run yarn why to notice that 2 versions are still there when they should be combined:

yarn why v1.22.0
warning package.json: No license field
[1/4] πŸ€”  Why do we have the module "scheduler"...?
[2/4] 🚚  Initialising dependency graph...
warning test_scheduler: No license field
[3/4] πŸ”  Finding dependency...
[4/4] 🚑  Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "react-dom" depends on it
   - Hoisted from "react-dom#scheduler"
info Disk size without dependencies: "208KB"
info Disk size with unique dependencies: "256KB"
info Disk size with transitive dependencies: "284KB"
info Number of shared dependencies: 2
=> Found "react-test-renderer#[email protected]"
info This module exists because "enzyme-adapter-react-16#react-test-renderer" depends on it.
info Disk size without dependencies: "204KB"
info Disk size with unique dependencies: "252KB"
info Disk size with transitive dependencies: "280KB"
info Number of shared dependencies: 2
✨  Done in 0.10s.

Didn't deduplicate

I got this dedublicate warnings in my Project:

warning "npm#JSONStream@^1.3.5" could be deduped from "1.3.5" to "[email protected]"
warning "npm#abbrev@~1.1.1" could be deduped from "1.1.1" to "[email protected]"
warning "npm#ansicolors@~0.3.2" could be deduped from "0.3.2" to "[email protected]"
warning "npm#ansistyles@~0.1.3" could be deduped from "0.1.3" to "[email protected]"
warning "npm#aproba@^2.0.0" could be deduped from "2.0.0" to "[email protected]"
warning "npm#archy@~1.0.0" could be deduped from "1.0.0" to "[email protected]"
warning "npm#bin-links@^1.1.2" could be deduped from "1.1.2" to "[email protected]"
warning "npm#bluebird@^3.5.3" could be deduped from "3.5.3" to "[email protected]"
warning "npm#byte-size@^5.0.1" could be deduped from "5.0.1" to "[email protected]"
warning "npm#cacache@^11.3.2" could be deduped from "11.3.2" to "[email protected]"
warning "npm#call-limit@~1.1.0" could be deduped from "1.1.0" to "[email protected]"
warning "npm#chownr@^1.1.1" could be deduped from "1.1.1" to "[email protected]"
warning "npm#ci-info@^2.0.0" could be deduped from "2.0.0" to "[email protected]"
warning "npm#cli-columns@^3.1.2" could be deduped from "3.1.2" to "[email protected]"
warning "npm#cli-table3@^0.5.1" could be deduped from "0.5.1" to "[email protected]"
warning "npm#cmd-shim@~2.0.2" could be deduped from "2.0.2" to "[email protected]"
warning "npm#columnify@~1.5.4" could be deduped from "1.5.4" to "[email protected]"
warning "npm#config-chain@^1.1.12" could be deduped from "1.1.12" to "[email protected]"
warning "npm#detect-indent@~5.0.0" could be deduped from "5.0.0" to "[email protected]"
warning "npm#detect-newline@^2.1.0" could be deduped from "2.1.0" to "[email protected]"
warning "npm#dezalgo@~1.0.3" could be deduped from "1.0.3" to "[email protected]"
warning "npm#editor@~1.0.0" could be deduped from "1.0.0" to "[email protected]"
warning "npm#figgy-pudding@^3.5.1" could be deduped from "3.5.1" to "[email protected]"
warning "npm#find-npm-prefix@^1.0.2" could be deduped from "1.0.2" to "[email protected]"
warning "npm#fs-vacuum@~1.2.10" could be deduped from "1.2.10" to "[email protected]"
warning "npm#fs-write-stream-atomic@~1.0.10" could be deduped from "1.0.10" to "[email protected]"
warning "npm#gentle-fs@^2.0.1" could be deduped from "2.0.1" to "[email protected]"
warning "npm#glob@^7.1.3" could be deduped from "7.1.3" to "[email protected]"
warning "npm#graceful-fs@^4.1.15" could be deduped from "4.1.15" to "[email protected]"
warning "npm#has-unicode@~2.0.1" could be deduped from "2.0.1" to "[email protected]"
warning "npm#hosted-git-info@^2.7.1" could be deduped from "2.7.1" to "[email protected]"
warning "npm#inflight@~1.0.6" could be deduped from "1.0.6" to "[email protected]"
warning "npm#inherits@~2.0.3" could be deduped from "2.0.3" to "[email protected]"
warning "npm#ini@^1.3.5" could be deduped from "1.3.5" to "[email protected]"
warning "npm#init-package-json@^1.10.3" could be deduped from "1.10.3" to "[email protected]"
warning "npm#is-cidr@^3.0.0" could be deduped from "3.0.0" to "[email protected]"
warning "npm#json-parse-better-errors@^1.0.2" could be deduped from "1.0.2" to "[email protected]"
warning "npm#lazy-property@~1.0.0" could be deduped from "1.0.0" to "[email protected]"
warning "npm#libcipm@^3.0.3" could be deduped from "3.0.3" to "[email protected]"
warning "npm#libnpm@^2.0.1" could be deduped from "2.0.1" to "[email protected]"
warning "npm#libnpmhook@^5.0.2" could be deduped from "5.0.2" to "[email protected]"
warning "npm#libnpx@^10.2.0" could be deduped from "10.2.0" to "[email protected]"
warning "npm#lock-verify@^2.0.2" could be deduped from "2.1.0" to "[email protected]"
warning "npm#lockfile@^1.0.4" could be deduped from "1.0.4" to "[email protected]"
warning "npm#lodash._baseuniq@~4.6.0" could be deduped from "4.6.0" to "[email protected]"
warning "npm#lodash.clonedeep@~4.5.0" could be deduped from "4.5.0" to "[email protected]"
warning "npm#lodash.union@~4.6.0" could be deduped from "4.6.0" to "[email protected]"
warning "npm#lodash.uniq@~4.5.0" could be deduped from "4.5.0" to "[email protected]"
warning "npm#lodash.without@~4.4.0" could be deduped from "4.4.0" to "[email protected]"
warning "npm#lru-cache@^4.1.5" could be deduped from "4.1.5" to "[email protected]"
warning "npm#meant@~1.0.1" could be deduped from "1.0.1" to "[email protected]"
warning "npm#mississippi@^3.0.0" could be deduped from "3.0.0" to "[email protected]"
warning "npm#mkdirp@~0.5.1" could be deduped from "0.5.1" to "[email protected]"
warning "npm#move-concurrently@^1.0.1" could be deduped from "1.0.1" to "[email protected]"
warning "npm#node-gyp@^3.8.0" could be deduped from "3.8.0" to "[email protected]"
warning "npm#nopt@~4.0.1" could be deduped from "4.0.1" to "[email protected]"
warning "npm#normalize-package-data@^2.5.0" could be deduped from "2.5.0" to "[email protected]"
warning "npm#npm-audit-report@^1.3.2" could be deduped from "1.3.2" to "[email protected]"
warning "npm#npm-cache-filename@~1.0.2" could be deduped from "1.0.2" to "[email protected]"
warning "npm#npm-install-checks@~3.0.0" could be deduped from "3.0.0" to "[email protected]"
warning "npm#npm-lifecycle@^2.1.0" could be deduped from "2.1.0" to "[email protected]"
warning "npm#npm-package-arg@^6.1.0" could be deduped from "6.1.0" to "[email protected]"
warning "npm#npm-packlist@^1.3.0" could be deduped from "1.4.1" to "[email protected]"
warning "npm#npm-pick-manifest@^2.2.3" could be deduped from "2.2.3" to "[email protected]"
warning "npm#npm-registry-fetch@^3.9.0" could be deduped from "3.9.0" to "[email protected]"
warning "npm#npm-user-validate@~1.0.0" could be deduped from "1.0.0" to "[email protected]"
warning "npm#npmlog@~4.1.2" could be deduped from "4.1.2" to "[email protected]"
warning "npm#once@~1.4.0" could be deduped from "1.4.0" to "[email protected]"
warning "npm#opener@^1.5.1" could be deduped from "1.5.1" to "[email protected]"
warning "npm#osenv@^0.1.5" could be deduped from "0.1.5" to "[email protected]"
warning "npm#pacote@^9.4.1" could be deduped from "9.5.0" to "[email protected]"
warning "npm#path-is-inside@~1.0.2" could be deduped from "1.0.2" to "[email protected]"
warning "npm#promise-inflight@~1.0.1" could be deduped from "1.0.1" to "[email protected]"
warning "npm#qrcode-terminal@^0.12.0" could be deduped from "0.12.0" to "[email protected]"
warning "npm#query-string@^6.2.0" could be deduped from "6.2.0" to "[email protected]"
warning "npm#qw@~1.0.1" could be deduped from "1.0.1" to "[email protected]"
warning "npm#read@~1.0.7" could be deduped from "1.0.7" to "[email protected]"
warning "npm#read-cmd-shim@~1.0.1" could be deduped from "1.0.1" to "[email protected]"
warning "npm#read-installed@~4.0.3" could be deduped from "4.0.3" to "[email protected]"
warning "npm#read-package-json@^2.0.13" could be deduped from "2.0.13" to "[email protected]"
warning "npm#read-package-tree@^5.2.2" could be deduped from "5.2.2" to "[email protected]"
warning "npm#request@^2.88.0" could be deduped from "2.88.0" to "[email protected]"
warning "npm#retry@^0.12.0" could be deduped from "0.12.0" to "[email protected]"
warning "npm#rimraf@^2.6.3" could be deduped from "2.6.3" to "[email protected]"
warning "npm#safe-buffer@^5.1.2" could be deduped from "5.1.2" to "[email protected]"
warning "npm#semver@^5.6.0" could be deduped from "5.6.0" to "[email protected]"
warning "npm#sha@~2.0.1" could be deduped from "2.0.1" to "[email protected]"
warning "npm#slide@~1.1.6" could be deduped from "1.1.6" to "[email protected]"
warning "npm#sorted-object@~2.0.1" could be deduped from "2.0.1" to "[email protected]"
warning "npm#sorted-union-stream@~2.1.3" could be deduped from "2.1.3" to "[email protected]"
warning "npm#ssri@^6.0.1" could be deduped from "6.0.1" to "[email protected]"
warning "npm#stringify-package@^1.0.0" could be deduped from "1.0.0" to "[email protected]"
warning "npm#tar@^4.4.8" could be deduped from "4.4.8" to "[email protected]"
warning "npm#text-table@~0.2.0" could be deduped from "0.2.0" to "[email protected]"
warning "npm#tiny-relative-date@^1.3.0" could be deduped from "1.3.0" to "[email protected]"
warning "npm#[email protected]" could be deduped from "0.0.6" to "[email protected]"
warning "npm#umask@~1.1.0" could be deduped from "1.1.0" to "[email protected]"
warning "npm#unique-filename@^1.1.1" could be deduped from "1.1.1" to "[email protected]"
warning "npm#unpipe@~1.0.0" could be deduped from "1.0.0" to "[email protected]"
warning "npm#update-notifier@^2.5.0" could be deduped from "2.5.0" to "[email protected]"
warning "npm#uuid@^3.3.2" could be deduped from "3.3.2" to "[email protected]"
warning "npm#validate-npm-package-license@^3.0.4" could be deduped from "3.0.4" to "[email protected]"
warning "npm#validate-npm-package-name@~3.0.0" could be deduped from "3.0.0" to "[email protected]"
warning "npm#which@^1.3.1" could be deduped from "1.3.1" to "[email protected]"
warning "npm#worker-farm@^1.6.0" could be deduped from "1.6.0" to "[email protected]"
warning "npm#write-file-atomic@^2.4.2" could be deduped from "2.4.2" to "[email protected]"
warning "npm#readable-stream#inherits@^2.0.3" could be deduped from "2.0.3" to "[email protected]"
warning "npm#readable-stream#string_decoder@^1.1.1" could be deduped from "1.2.0" to "[email protected]"
warning "npm#readable-stream#util-deprecate@^1.0.1" could be deduped from "1.0.2" to "[email protected]"

running yarn-deduplicate yarn.lock has no effect.

This is my package.json:


{
  "dependencies": {
    "@babel/runtime": "^7.3.4",
    "fbjs": "^0.8.17",
    "lodash": "^4.17.11",
    "lodash.isequal": "^4.5.0",
    "metro-react-native-babel-preset": "^0.52.0",
    "native-base": "^2.12.0",
    "npm": "^6.8.0",
    "prop-types": "^15.6.1",
    "react": "16.6.3",
    "react-devtools": "^3.2.1",
    "react-native": "0.58.5",
    "react-native-cacheable-image": "^2.0.0",
    "react-native-fast-image": "^5.1.2",
    "react-native-firebase": "^4.3.8",
    "react-native-grid-list": "^1.0.9",
    "react-native-image-zoom-viewer": "^2.2.23",
    "react-native-modal-dropdown": "^0.6.2",
    "react-native-render-html": "^3.9.3",
    "react-native-safe-area-view": "^0.7.0",
    "react-native-scrolling-menu": "experiment322/react-native-scrolling-menu",
    "react-native-transformable-image": "https://github.com/xstable/react-native-transformable-image.git",
    "react-native-vector-icons": "^6.1.0",
    "react-native-video": "tranvinhtruong/react-native-video",
    "react-native-video-player": "https://github.com/tranvinhtruong/react-native-video-player",
    "react-native-youtube": "^1.1.0",
    "react-navigation": "^1.5.11",
    "reactotron-react-native": "^1.14.0",
    "webpack": "^4.5.0"
  },
  "devDependencies": {
    "@babel/core": "^7.0.0",
    "@babel/preset-flow": "^7.0.0",
    "@babel/register": "^7.0.0",
    "babel-core": "^7.0.0-bridge.0",
    "babel-eslint": "^9.0.0",
    "babel-jest": "^23.4.2",
    "babel-plugin-transform-remove-console": "^6.9.2",
    "eslint": "^5.12.1",
    "eslint-config-airbnb": "^17.1.0",
    "eslint-plugin-import": "^2.14.0",
    "eslint-plugin-jsx-a11y": "^6.1.1",
    "eslint-plugin-react": "^7.11.1",
    "eslint-plugin-react-native": "^3.2.1",
    "jest": "23.6.0",
    "react-test-renderer": "16.6.1"
  },
  "jest": {
    "preset": "react-native"
  }
}

Any idea, why deduplication didn't work?

Updating Packages already de-duped by yarn

I was wondering if this module can be used to update packages that are already de-duped by yarn. For example say there are multiple modules that have module X defined as ^0.5.0 ^0.5.1 etc. and currently it has already been de-duped by yarn and uses v0.5.1 would this be able to update it to v0.5.5 since this is the latest version that satisfies every module's condition?

SyntaxError: Unknown token 3:1 in lockfile

Originally reported by Anonymous

#!javascript

yarn-tools list-duplicates yarn.lock

SyntaxError: Unknown token 3:1 in lockfile
    at Parser.unexpected (C:\Users\predrags\AppData\Local\Yarn\config\global\node_modules\@yarnpkg\lockfile\index.js:4276:11)
    at Parser.parse (C:\Users\predrags\AppData\Local\Yarn\config\global\node_modules\@yarnpkg\lockfile\index.js:4381:14)
    at parse (C:\Users\predrags\AppData\Local\Yarn\config\global\node_modules\@yarnpkg\lockfile\index.js:4450:17)
    at Object.module.exports.exports.default (C:\Users\predrags\AppData\Local\Yarn\config\global\node_modules\@yarnpkg\lockfile\index.js:4062:96)
    at module.exports (C:\Users\predrags\AppData\Local\Yarn\config\global\node_modules\yarn-tools\modules\list-duplicates.js:8:27)
    at Command.commander.command.description.action (C:\Users\predrags\AppData\Local\Yarn\config\global\node_modules\yarn-tools\index.js:17:33)
    at <anonymous>

First 30 lines of yarn.lock:

#!javascript

# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


"@mapbox/[email protected]":
  version "2.0.1"
  resolved "https://registry.yarnpkg.com/@mapbox/geojsonhint/-/geojsonhint-2.0.1.tgz#32dac7300f04b3ebaec74b5ba9853dfb42532354"
  dependencies:
    concat-stream "~1.5.1"
    jsonlint-lines "1.7.1"
    minimist "1.2.0"
    vfile "2.0.0"
    vfile-reporter "3.0.0"

"@sailshq/body-parser@^1.13.3":
  version "1.13.4"
  resolved "https://registry.yarnpkg.com/@sailshq/body-parser/-/body-parser-1.13.4.tgz#313e501619a86273dffd6d1cb916742a5d9e8e1b"
  dependencies:
    "@sailshq/qs" "^4.0.1"
    bytes "2.1.0"
    content-type "~1.0.1"
    debug "~2.2.0"
    depd "~1.0.1"
    http-errors "~1.3.1"
    iconv-lite "0.4.11"
    on-finished "~2.3.0"
    raw-body "~2.1.2"
    type-is "~1.6.6"

Take an argument to check for duplicated dependencies

I'd like to have an option to check for duplicated dependencies, and then fail my CI build if there are duplicate dependencies. Right now I have to do this by checking if the length of listed deduplicated dependencies is equal to 0.

Would you take a third command, yarn deduplicate --check /path/to/yarn.lock which would process.exit(1) if there are duplicated dependencies, and process.exit(0) if there are none? I'm happy to submit a PR if you'd take the change!

`Yarn-tools` changes order of `integrity` field, moves it to tail

Hi,
with the recent addition of integrity field
yarnpkg/yarn#5042
yarn-tools started to alter valid yarn.lock and it produce diffs with no real change.

Before running it is

"@types/react-virtualized@^9.7.4":
  version "9.18.5"
  resolved "https://registry.yarnpkg.com/@types/react-virtualized/-/react-virtualized-9.18.5.tgz#8c6b4e739e2fc4a601dd3e5e114dd0deeba56cc7"
  integrity sha512-ptqFDzemkXGMf7ylch/bCV+XTDvVjD9dRymzcjOPIxg8Hqt/uesOye10GXItFbsxJx9VZeJBYrR8FFTauu+hHg==
  dependencies:
    "@types/prop-types" "*"
    "@types/react" "*"

and after yarn-tools it is

"@types/react-virtualized@^9.7.4":
  version "9.18.5"
  resolved "https://registry.yarnpkg.com/@types/react-virtualized/-/react-virtualized-9.18.5.tgz#8c6b4e739e2fc4a601dd3e5e114dd0deeba56cc7"
  dependencies:
    "@types/prop-types" "*"
    "@types/react" "*"
  integrity sha512-ptqFDzemkXGMf7ylch/bCV+XTDvVjD9dRymzcjOPIxg8Hqt/uesOye10GXItFbsxJx9VZeJBYrR8FFTauu+hHg==

Motivation

Is there a relevant yarn issue that this package is resolving? If so, could it be added to the README? This seems like behavior that should be in yarn by default.

Error: unknown option '--exclude-scopes'

Helllo yar-deduplicate team. I am using the [email protected]. I noticed that in the Readme doc there is an option --exclude-scopes. However, when I try to use this option, I got error: unknown options '--exclude-scopes'. And this is what I got if I run --help:

image

It seems this option has been removed/not implemented yet.

I am wondering is that possible to add this option? It seems very useful in some cases, especially if we want to run the yarn-deduplicate every time before merging a PR.

Also thank you very much for this great project.

Feature request: --check flag

It would be nice if yarn-deduplicate supported a --check flag, which could be used on CI. The expected behavior would be: if called with the --check flag, yarn-deduplicate does not modify the yarn.lock file, but instead checks to see if it should be modified. If so, it exits with a non-zero exit code.

Running `yarn install` after `yarn-tools fix-duplicates` sometimes changes the `yarn.lock` file

Originally reported by Ruslan Arkhipau (Bitbucket: rarkhipau-at-atlassian, GitHub: Unknown)

Essentially this boils down to: "Whatever the fix-duplicates command is doing can get out of sync with what yarn itself is doing".

It might be worth to add a line to readme saying "after updating the lock file with yarn-tools fix-duplicates, make sure to run the yarn install command"

invalid package.json files in .history breaks flow type checker

flow type checks json files under node_modules by default

The following json files are invalid causing flow to fail:

  • node_modules/yarn/deduplicate/.history/package_20181018055733.json:
  • node_modules/yarn-deduplicate/.history/package_20181018055741.json

Can we remove/fix these files?

Steps to reproduce:

$ yarn flow check

Error -----------------------------------------node_modules/yarn/deduplicate/.history/package_20181018055733.json:41:3

Unexpected token }

   41|   }
         ^


Error ------------------------------------------ node_modules/yarn-deduplicate/.history/package_20181018055741.json:41:3

Unexpected token }

   41|   }
         ^
```

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.