How to upgrade indirect dependencies?

[chinesedfan]

Do you want to request a feature or report a bug?

Feature.

What is the current behavior?
yarn upgrade ignores indirect dependencies, so users can't upgrade them in yarn.lock. If I missed something, please tell me.

If the current behavior is a bug, please provide the steps to reproduce.

• Suppose a new empty project, run yarn add is-alphanumerical@1.0.0
  • 2 indirect dependencies, is-alphabetical and is-decimal, will be installed and saved in yarn.lock
  • the latest version of is-alphabetical is 1.0.1 now, if another new version, say 1.0.2 was released(to test, you can release 2 test packages by yourself or modify is-alphabetical to be 1.0.0 in yarn.lock, ** I know modifying yarn.lock directly is not a regular operation**)
• No matter which of following ways, yarn always says All of your dependencies are up to date
  • yarn upgrade is-alphabetical
  • yarn upgrade-interactive
  • yarn upgrade-interactive is-alphabetical

What is the expected behavior?
yarn upgrade also supports indirect dependencies.

Please mention your node.js, yarn and operating system version.
Node 8.9.0
yarn 1.3.2
OSX 10.12.6

[milesj]

@chinesedfan Have you tried yarn upgrade-interactive?

[chinesedfan]

@milesj Yes, it results in the same result and I also updated reproduce steps in issue description.

[rally25rs]

That is because yarn add is-alphanumerical@1.0.0 sets your package.json to exactly version 1.0.0 as you requested.

yarn upgrade respects your package.json semver range, and since you specified exactly version 1.0.0, it won't offer to upgrade to other versions.

You could resolve this a couple ways:

• yarn upgrade --latest will ignore semver range and see what is tagged as latest in the registry.
• change package.json to accept a version range like ^1.0.0 then yarn upgrade (you might have to yarn install first to get it to update the lock file for the changed range)
• explicitly specify a version to upgrade, like yarn upgrade is-alphanumerical@1.0.1 or yarn upgrade is-alphanumerical@^1.0.0

---

Edit:

Sorry, I just noticed there are different package names. alphanumerical and alphabetical look the same at a glance :)

Right, since there is no upgrade for is-alphanumerical, the dependency tree isn't traversed any deeper to handle its transitive dependencies.

You could try adding the --force flag and see if that makes it the subdependencies. Otherwise I think you are right, there isn't an easy way to do that other than yarn remove is-alphanumerical and yarn add is-alphanumerical

[chinesedfan]

@rally25rs Thanks for your reply! I tested 2 more cases.

• yarn upgrade is-alphabetical --force doesn't work, either.
• yarn upgrade is-alphanumerical will upgrade ALL its subdependencies even if it is already latest.
  • But if I just want to upgrade a specified subdependency, that is still not very convenient.

[OneCyrus]

yes, this is a major problem with yarn at the moment. and it's already in discussion at #2394

[rally25rs]

duplicate #2394

[AlexWayfer]

Please, re-open: it's not duplicate.

#2394 describes duplicating of meck-test-bb package (indirect dependency):

I got two copies of meck-test-bb

This issue describes just ability to upgrade indirect dependency (somehow).

[chinesedfan]

@rally25rs Forgive me to ping.

[AlexWayfer]

@rally25rs, please, you've closed both non-duplicating issues, it's wrong. Give us ability to upgrade indirect dependencies, please!

[rally25rs]

Sorry, there was some confusion over on the other issue. I originally thought 2394 was asking for a way to upgrade a transitive dep using a --deep flag, or something like that, so I had marked this issue as a duplicate of that. Later on after re-reading 2394 I think it was about something different, which is not a duplicate of this like I originally thought.