pinst
suggestion for Yarn Berry no longer works with newer NPM versions #1491
Description
Troubleshoot
- Before creating an issue, please check:
https://typicode.github.io/husky/troubleshoot.html
Context
Currently, the docs recommend using this set of scripts for Yarn Berry (2+):
{
"scripts": {
// Yarn doesn't support prepare script
"postinstall": "husky",
// Include this if publishing to npmjs.com
"prepack": "pinst --disable",
"postpack": "pinst --enable"
}
}
However, this no longer works. There are some details in typicode/pinst#23. The TLDR is that newer versions of NPM seem not to respect what's actually in the published tarball. Instead, they have some kind of database they reference where the postinstall
-> _postinstall
rename no longer works.
I wrote up a simple example here: https://github.com/blimmer/husky-npm-prepare-issue
You can see that this has started failing somewhere in the Node 20.x / NPM 10.x line:
You can see that the rename of postinstall
-> _postinstall
isn't recorded in the npm view
output:
> npm view @blimmer/husky-npm-prepare-issue@latest scripts
{
postinstall: 'husky',
prepack: 'pinst --disable',
postpack: 'pinst --enable'
}
Even though the tarball actually shows the rename:
> npm install --ignore-scripts @blimmer/husky-npm-prepare-issue@latest
> cat node_modules/@blimmer/husky-npm-prepare-issue/package.json
{
"name": "@blimmer/husky-npm-prepare-issue",
"publishConfig": {
"access": "public"
},
"version": "2.0.4",
"bin": {
"husky-npm-prepare-issue": "./bin.js"
},
"scripts": {
"_postinstall": "husky",
"prepack": "pinst --disable",
"postpack": "pinst --enable"
},
"keywords": [],
"license": "ISC",
"devDependencies": {
"husky": "^9.1.4",
"pinst": "^3.0.0"
}
}
This issue is described here: https://gist.github.com/djcsdy/2f5a287b3ba16f2a8f0312f45588e6ce and relates to the higher-level NPM issue described here: https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem
Really, it would be nice if Yarn would just support some script that runs locally when running yarn install
(e.g., prepare
) - see also yarnpkg/berry#2967
Because this is fundamentally broken right now, I wanted to post on the husky
issue tracker for visibility.
Workaround
On my end, I worked around this with the following changes:
-
Remove all calls to
pinst
fromscripts
inpackage.json
. -
Update my
semantic-release
config to runyarn pinst --disable
instead:module.exports = { branches: ["main"], plugins: [ // !! This is what I added !! [ "@semantic-release/exec", { prepareCmd: "yarn pinst --disable && yarn build", } ], [ "@semantic-release/commit-analyzer", { preset: "conventionalcommits" } ], "@semantic-release/release-notes-generator", "@semantic-release/npm", "@semantic-release/github" ] };
If you're publishing from CI and not using semantic-release
, you could add the call to pinst --disable
in your workflow. You just can't seem to have it tied to an NPM lifecycle anymore.
Discoverability
If you see output like this, you're running into this issue (adding for discoverability in the issue tracker):
> npx --verbose my-package
npm info run my-package postinstall node_modules/my-package husky
npm info run my-package postinstall { code: 127, signal: null }
> npm install --save-dev my-package
npm error code 127
npm error path /private/tmp/foo/node_modules/my-package
npm error command failed
npm error command sh -c husky
npm error sh: husky: command not found
npm error A complete log of this run can be found in: /Users/blimmer/.npm/_logs/2024-08-07T17_16_17_181Z-debug-0.log