yarn upgrade replaces custom github repos with actual npm published ones if name happens to match

[rally25rs]

Do you want to request a feature or report a bug?

Bug

What is the current behavior?

During yarn install a custom github URL in package.json will be used to fetch a package.

During yarn upgrade online NPM package is used, and yarn ignores a custom URL defined in package.json

This can be very problematic for organizations that use private github repos, and their repo name happens to align with another existing NPM repo. Or, in the future someone could publish an NPM repo by the same name as your private repo and your build environment may inadvertently download this published package instead of using your private repo.

If the current behavior is a bug, please provide the steps to reproduce.

Add a custom package name that happens to match an actual NPM package, but use a Github URL in your package.json. For example a package named "ui-components" is a private Github repo, but also happens to be an actual NPM package:

  "dependencies": {
    "ui-components": "git+ssh://git@github.com/MyCompany/ui-components.git#master",

Now run yarn install and the files from the private github.com/MyCompany/ui-components repo will be installed in node_modules 👍

Now run yarn outdated to check for updates. This reports:

yarn outdated v0.19.1
Package        Current Wanted Latest Package Type    URL
ui-components  3.0.0   exotic exotic dependencies    git+ssh://git@github.com/MyCompany/ui-components.git#master

This still looks correct so far 👍

Now in an attempt to grab the latest code from that private repo, run: yarn upgrade ui-components

This will result in Yarn downloading and installing the NPM-published "ui-components" NOT the private repo code listed in the URL. 👎

It also REPLACES the custom github URL in the package.json file with:

  "dependencies": {
    "ui-components": "~1.0.0",

so future updates no longer use my private repo 👎

This actually poses a security risk. Consider the attack: I find out the name of a company's private repo and know that their CI server does a yarn upgrade at some point. I could publish a new npm package by that name with malicious code, and their CI server would download and potentially execute it.

What is the expected behavior?

yarn upgrade should attempt to resolve package name to url mapping from package.json file before using the NPM listed URL.

yarn upgrade should leave custom github URL in package.json file

Please mention your node.js, yarn and operating system version.

node: v6.3.0 (installed by nvm)
yarn: v0.19.1 (installed by homebrew)
os: maxOS 10.12 Sierra

[rally25rs]

After debugging through the code a bit, I think this is related to the way the command yarn upgrade <package> works.

From the docs:

This upgrades a single named package to the version specified by the latest tag (potentially upgrading the package across major versions).

So it looks like what it does is just ignore anything in package.json about this package, and gets the latest version from NPM. This means it no longer knows that the "specified version" in the package.json is actually a custom URL.

I think the command npm upgrade ui-components@git+ssh://git@github.com/MyCompany/ui-components.git#master is actually what I should be running to get the behavior I want, but that is awfully inconvenient...

I think I could also just run yarn upgrade but that would update all packages, which is not what I want... I just want to make sure I have the latest code from any private repos.

Edit:

yarn upgrade
-and-
yarn upgrade ui-components@git+ssh://git@github.com/MyCompany/ui-components.git#master
both leave the old code in place, related to #1573

[juanca]

I opened a pull request which mirrors npm upgrade behavior.

[juanca]

This should be fixed. Please double check.

[schneidmaster]

@juanca Seems to be fixed for me now, FWIW.