Yarn v2 – post-resolution validation errors

[joeyfigaro]

Yarn install seems to succeed, but sits silently after that for about 3.5 minutes. Then it fails with the following:

The lockfile would have been modified by this install, which is explicitly forbidden.

I'm now on a brand new application (I was hoping the issue was that my original app was just too stale) and I can't for the life of me figure out why this validation step is failing. From what I can tell, heroku is just running yarn install which should produce the same results I have here on my machine.

I've tried clearing the build cache, disabling caching, and killing repo history. I've confirmed that my lockfile is up-to-date, and none of the support articles I've found seem to address the specific error I'm encountering; any relevant ones I have found are focused on the lockfile being out of date, which is a simple fix.

Buildpacks

• heroku/nodejs@latest
• blockhq/heroku-buildpack-yarn-workspaces@latest <- new addition I tried out. Result is same.

Engines

• Node v12.20.0
• Yarn v2.4.1

Build Log

remote: -----> Creating runtime environment
remote:
remote:        NPM_CONFIG_LOGLEVEL=info
remote:        USE_YARN_CACHE=false
remote:        NODE_VERBOSE=true
remote:        NODE_ENV=staging
remote:        NODE_MODULES_CACHE=false
remote:
remote: -----> Installing binaries
remote:        engines.node (package.json):  12.20.0
remote:        engines.npm (package.json):   unspecified (use default)
remote:        engines.yarn (package.json):  unspecified (use default)
remote:
remote:        Resolving node version 12.20.0...
remote:        Downloading and installing node 12.20.0...
remote:        Using default npm version: 6.14.8
remote:        Resolving yarn version 1.22.x...
remote:        Downloading and installing yarn (1.22.10)
remote:        Using yarn 2.4.1
remote:
remote: -----> Restoring cache
remote:        Caching has been disabled because NODE_MODULES_CACHE=false
remote:
remote: -----> Installing dependencies
remote:        Running 'yarn install' with yarn.lock
remote:        ➤ YN0000: ┌ Resolution step
remote:        ➤ YN0002: │ @endemolshinegroup/cosmiconfig-typescript-loader@npm:3.0.2 [c21ab] doesn't provide typescript (pb7352), requested by ts-node
remote:        ➤ YN0002: │ @firebase/auth@npm:0.16.4 [a40cc] doesn't provide @firebase/app-types (pa6d12), requested by @firebase/auth-types
remote:        ➤ YN0002: │ @firebase/auth@npm:0.16.4 [a40cc] doesn't provide @firebase/util (p6dbca), requested by @firebase/auth-types
remote:        ➤ YN0002: │ @firebase/database@npm:0.8.3 doesn't provide @firebase/app-types (p63919), requested by @firebase/auth-interop-types
remote:        ➤ YN0002: │ @firebase/database@npm:0.9.6 doesn't provide @firebase/app-types (p6c6b1), requested by @firebase/auth-interop-types
remote:        ➤ YN0002: │ @graphql-tools/graphql-tag-pluck@npm:6.4.0 [4af48] doesn't provide vue (p135cf), requested by @vue/compiler-sfc
remote:        ➤ YN0002: │ @graphql-tools/graphql-tag-pluck@npm:6.4.0 [8d221] doesn't provide vue (p92e5e), requested by @vue/compiler-sfc
remote:        ➤ YN0060: │ @groupic/api@workspace:packages/api provides graphql (p69d57) with version 14.7.0, which doesn't satisfy what @graphql-codegen/import-types-preset and some of its descendants request
remote:        ➤ YN0060: │ @groupic/api@workspace:packages/api provides jest (p20dbd) with version 25.5.4, which doesn't satisfy what ts-jest requests
remote:        ➤ YN0060: │ @groupic/api@workspace:packages/api provides ts-loader (p40b23) with version 8.1.0, which doesn't satisfy what webpack-graphql-loader requests
remote:        ➤ YN0002: │ @groupic/common@workspace:packages/common doesn't provide @types/qs (pce84e), requested by twilio
remote:        ➤ YN0002: │ @groupic/gql@workspace:packages/gql doesn't provide graphql (p7906e), requested by apollo-server-express
remote:        ➤ YN0002: │ @groupic/types@workspace:packages/types doesn't provide @react-native-community/masked-view (p1bce7), requested by @react-navigation/stack
remote:        ➤ YN0002: │ @groupic/types@workspace:packages/types doesn't provide react (pcc00c), requested by @react-navigation/native
remote:        ➤ YN0002: │ @groupic/types@workspace:packages/types doesn't provide react (pb47d6), requested by @react-navigation/stack
remote:        ➤ YN0002: │ @groupic/types@workspace:packages/types doesn't provide react (pb65fc), requested by react-native-safe-area-context
remote:        ➤ YN0002: │ @groupic/types@workspace:packages/types doesn't provide react-native (pe2840), requested by @react-navigation/native
remote:        ➤ YN0002: │ @groupic/types@workspace:packages/types doesn't provide react-native (p6b7eb), requested by @react-navigation/stack
remote:        ➤ YN0002: │ @groupic/types@workspace:packages/types doesn't provide react-native (pa0acb), requested by react-native-safe-area-context
remote:        ➤ YN0002: │ @groupic/types@workspace:packages/types doesn't provide react-native-screens (p5e771), requested by @react-navigation/stack
remote:        ➤ YN0002: │ @paljs/plugins@npm:2.11.1 doesn't provide graphql (p3e5f8), requested by graphql-tag
remote:        ➤ YN0000: │ Some peer dependencies are incorrectly met; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code
remote:        ➤ YN0000: └ Completed in 0s 736ms 
...
...	lockfile diff results: https://ghostbin.co/paste/ku3mt
...
       ➤ YN0000: │ 
       ➤ YN0028: │ The lockfile would have been modified by this install, which is explicitly forbidden.
       ➤ YN0000: └ Completed in 3m 31s
       ➤ YN0000: Failed with errors in 3m 32s

Let me know if you need more information, and thank you in advance!

Edit

I forgot about --immutable – is there any way to instruct heroku to pass it?
Added validation results after noticing the inline diff for versions.

[joeyfigaro]

YN0028 (--frozen-lockfile exception)

It looks like a slew of package versions are being modified/changed on install. I don't know how to reproduce this on my machine–using --immutable does not produce a modified lockfile for me. Only obvious difference I see is that heroku seems to be ignoring the registry url specified in my .yarnrc.yml and is instead opting for the npm registry.

.yarnrc.yml

enableScripts: true

nmHoistingLimits: workspaces

nodeLinker: node-modules

npmRegistryServer: https://registry.yarnpkg.com # <-- seems to be ignored by heroku

checksumBehavior: update # <-- also seems to be ignored, but possible that --immutable overrides this

plugins:
  - path: .yarn/plugins/@yarnpkg/plugin-version.cjs
    spec: "@yarnpkg/plugin-version"
  - path: .yarn/plugins/@yarnpkg/plugin-workspace-tools.cjs
    spec: "@yarnpkg/plugin-workspace-tools"
  - path: .yarn/plugins/@yarnpkg/plugin-workspaces-watch.cjs
    spec: "https://raw.githubusercontent.com/voodooattack/yarn-plugin-workspaces-watch/master/bundles/%40yarnpkg/plugin-workspaces-watch.js"

yarnPath: .yarn/releases/yarn-2.4.1.cjs

npmRegistries:
  "https://registry.yarnpkg.com":
    npmAuthToken: ${NPM_REGISTRY_AUTH_TOKEN}

npmScopes:
  groupic:
    npmAuthToken: ${NPM_SCOPE_AUTH_TOKEN}

[joeyfigaro]

Just attempted to blow away yarn.lock, create a new one via yarn install and deploy it. Same results.

[ymoon715]

Im getting this error on jenkins pipeline as well.

[andrewlorenz]

I'm getting this error on bitbucket pipelines as well, using yarn 3.2.0. I have a yarn config in a pipeline step so I can see all the active settings and checksumBehavior is set to 'update', plus the yarn.lock shows as having 'rw' access for root. So I'm struggling to think of anything else to try

[damienbry]

I got this error when using yarn PnP workspaces, with a local .yarnrc.yml in one of my workspaces.
More specifically, I overrode packageExtensions parameter of the in that "workspaces/my-package/.yarnrc.yml"

Depending on where I ran the yarn install (in the root /, or in workspaces/my-package), the command yarn install --immutable would fail or not.

I solved this by moving the packageExtensions parameter from the local .yarnrc.yml to the root one 👍
In the meantime I added this to my pre-commit process so that I won't be fooled twice