Can't update HD1 dependencies

[davidmehren]

Description

Yarn 1 seemingly breaks when packages rename their dependencies.

Via rimraf, we depend on @isaacs/cliui. This package depends on two versions of string-width simultaneously, see its package.json:

    "string-width": "^5.1.2",
    "string-width-cjs": "npm:string-width@^4.2.0",

string-width 5 is ESM-only, so version 4 is renamed to string-width-cjs. Yarn 1 seems to only support this properly when no yarn.lock is present. On every install attempt after the lockfile is created, Yarn 1 incorrectly hoists the more recent (ESM-only) version to the root of node_modules, which breaks imports from Common JS modules.

Yarn also complains about packages wanting to write to the same directory.

Other people experiencing this issue:

• Dependency on @isaacs/cliui@8.0.2 is broken isaacs/jackspeak#5 (comment)
• fix: handle strings the same in cjs, esm, and deno yargs/cliui#139 (comment)

Steps to reproduce

• Checkout fix(deps): update dependency rimraf to v5.0.1 (master) - autoclosed #4069
• Remove node_modules and yarn.lock
• Run yarn install and observe success
• Remove node_modules again
• Run yarn install and observe brokenness

Expected behavior

Install succeeds.

Logs

No response

Config

No response

Your Setup

• Host OS: Fedora 38
• NodeJS version: v16.20.0, Yarn 1.22.19

[davidmehren]

Yarn fixed this in version 2 and up: yarnpkg/yarn#4812 (comment)

We can now

• stop updating dependencies that cause the bug
• pin dependency versions using resolutions, violating dependency constraints of some packages
• update to Yarn 3

I'd favor option three, but wonder how much this will break people's setup?

[mrdrogdrog]

Option 3 still sounds better then having out of date packages.

[ErikMichelson]

The switch to yarn berry has been merged and will be released soon.