yarn.lock not published by npm publish anymore

What I Wanted to Do

We’re running whatever version of npm comes with the latest node LTS, which means it was recently upgraded from 6.4.1 to 6.9, so the bug happened somewhere in that range of versions.

When using npm publish, yarn.lock used to be published. It is not anymore. Flipping between 6.4.1 and 6.9 leads to different packages, and the difference is that file.

Reproduction Steps

From an empty repo, npm init, yarn add taco, npm publish --dry-run.

With 6.9:

npm notice 
npm notice 📦  npm-publish@1.0.0
npm notice === Tarball Contents === 
npm notice 253B package.json
npm notice === Tarball Details === 
npm notice name:          npm-publish                             
npm notice version:       1.0.0                                   
npm notice package size:  265 B                                   
npm notice unpacked size: 253 B                                   
npm notice shasum:        fbe101b58e31ce167fe38309c96a4e5a37987b56
npm notice integrity:     sha512-Q0nF4PTqYgNVB[...]mbvOQTH6zncHg==
npm notice total files:   1                                       
npm notice 
+ npm-publish@1.0.0

With 6.4.1

npm notice 
npm notice 📦  npm-publish@1.0.0
npm notice === Tarball Contents === 
npm notice 253B  package.json
npm notice 5.0kB yarn.lock   
npm notice === Tarball Details === 
npm notice name:          npm-publish                             
npm notice version:       1.0.0                                   
npm notice package size:  2.3 kB                                  
npm notice unpacked size: 5.3 kB                                  
npm notice shasum:        eaff0597b92c4f44e265835c034743d989c03e34
npm notice integrity:     sha512-aDod27Nh2vSls[...]CbBlBMiiNCt+Q==
npm notice total files:   2                                       
npm notice 
+ npm-publish@1.0.0

Platform Info

Ubuntu 18.04. See npm version above

you must not want to publish either yarn.lock or package-lock.json

I want to publish yarn.lock. And whether that should be the default behavior or not, it is not documented, and is a breaking change in a minor semver release.

¯_(ツ)_/¯

has you tried to add an empty .npmignore file?

skipping files like yarn.lock is good practive because 99% user expect it and might be as mistake publish heavy useless in packages files like this

We use it for an internal package that we use to deploy an application to a cloud PaaS, not for a public library, so I guess we’re part of the 1%.

I don’t really want to argue the pros and cons of the behavior. I can see both sides. If npm 7.0 decided to change it, that would be fine with me. The reason this is a bug is because it broke semver, and is not documented behavior (https://docs.npmjs.com/misc/developers). That fact is made worst by the inclusion of 6.9 with a LTS minor version of node, which should be stable.

1 Like

This is the culprit: https://github.com/npm/npm-packlist/commit/c21edc6ef3f3926bc529a7964775310cf0f8a1fb#diff-168726dbe96b3ce427e7fedce31bb0bc

You are quite correct that not documented on the page you linked, which could at least have helped you after encountering the behaviour.

Do you want to move this to #support:docs-needed ? (To hopefully achieve a positive outcome from your experience and report.)

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.