Yarn check [--integrity [--verbose]] fail and messages aren't helpful in the slightest

[taoeffect]

Do you want to request a feature or report a bug?

Bug.

If the current behavior is a bug, please provide the steps to reproduce.

In my repo I ran several commands, in succession: yarn check, then yarn check --integrity and then yarn check --integrity --verbose.

$ yarn check
yarn check v0.17.10
warning standard#eslint-config-standard-jsx#eslint@>=3.0.0 could be deduped from 3.12.2 to eslint@3.12.2
warning standard#eslint-config-standard#eslint@>=3.8.1 could be deduped from 3.12.2 to eslint@3.12.2
warning standard#eslint-plugin-react#eslint@^2.0.0 || ^3.0.0 could be deduped from 3.12.2 to eslint@3.12.2
warning standard#eslint-plugin-standard#eslint@>=3.0.0 could be deduped from 3.12.2 to eslint@3.12.2
warning sqlite3#node-pre-gyp#mkdirp@~0.5.1 could be deduped from 0.5.1 to mkdirp@0.5.1
warning sqlite3#node-pre-gyp#nopt@~3.0.6 could be deduped from 3.0.6 to nopt@3.0.6
warning sqlite3#node-pre-gyp#npmlog@^4.0.0 could be deduped from 4.0.1 to npmlog@4.0.1
warning sqlite3#node-pre-gyp#rc@~1.1.6 could be deduped from 1.1.6 to rc@1.1.6
warning sqlite3#node-pre-gyp#request@^2.75.0 could be deduped from 2.79.0 to request@2.79.0
warning sqlite3#node-pre-gyp#rimraf@~2.5.4 could be deduped from 2.5.4 to rimraf@2.5.4
warning sqlite3#node-pre-gyp#semver@~5.3.0 could be deduped from 5.3.0 to semver@5.3.0
warning sqlite3#node-pre-gyp#tar@~2.2.1 could be deduped from 2.2.1 to tar@2.2.1
warning sqlite3#node-pre-gyp#tar-pack@~3.3.0 could be deduped from 3.3.0 to sqlite3#tar-pack@3.3.0
error shelljs#glob is wrong version: expected 7.0.6, got 7.1.1
error es3ify#esprima-fb is wrong version: expected 3001.1.0-dev-harmony-fb, got 3001.0001.0000-dev-harmony-fb
error sass-graph#glob is wrong version: expected 7.0.6, got 7.1.1
warning fsevents#node-pre-gyp#mkdirp@~0.5.1 could be deduped from 0.5.1 to mkdirp@0.5.1
warning fsevents#node-pre-gyp#nopt@~3.0.6 could be deduped from 3.0.6 to nopt@3.0.6
error fsevents#node-pre-gyp#npmlog@^4.0.0 doesn't satisfy found match of fsevents#npmlog@3.1.2
warning fsevents#node-pre-gyp#rc@~1.1.6 could be deduped from 1.1.6 to rc@1.1.6
error fsevents#node-pre-gyp#request@^2.75.0 doesn't satisfy found match of fsevents#request@2.73.0
error fsevents#node-pre-gyp#rimraf@~2.5.4 doesn't satisfy found match of fsevents#rimraf@2.5.3
error fsevents#node-pre-gyp#semver@~5.3.0 doesn't satisfy found match of fsevents#semver@5.2.0
warning fsevents#node-pre-gyp#tar@~2.2.1 could be deduped from 2.2.1 to tar@2.2.1
warning fsevents#node-pre-gyp#tar-pack#debug@~2.2.0 could be deduped from 2.2.0 to debug@2.2.0
warning fsevents#node-pre-gyp#tar-pack#fstream@~1.0.10 could be deduped from 1.0.10 to fstream@1.0.10
warning fsevents#node-pre-gyp#tar-pack#fstream-ignore@~1.0.5 could be deduped from 1.0.5 to fstream-ignore@1.0.5
warning fsevents#node-pre-gyp#tar-pack#rimraf@~2.5.1 could be deduped from 2.5.4 to rimraf@2.5.4
warning fsevents#node-pre-gyp#tar-pack#tar@~2.2.1 could be deduped from 2.2.1 to tar@2.2.1
warning fsevents#node-pre-gyp#tar-pack#uid-number@~0.0.6 could be deduped from 0.0.6 to uid-number@0.0.6
warning fsevents#tar-pack#once#wrappy@1 could be deduped from 1.0.2 to wrappy@1.0.2
warning fsevents#tar-pack#readable-stream#buffer-shims@^1.0.0 could be deduped from 1.0.0 to buffer-shims@1.0.0
warning fsevents#tar-pack#readable-stream#core-util-is@~1.0.0 could be deduped from 1.0.2 to core-util-is@1.0.2
warning fsevents#tar-pack#readable-stream#inherits@~2.0.1 could be deduped from 2.0.3 to inherits@2.0.3
warning fsevents#tar-pack#readable-stream#process-nextick-args@~1.0.6 could be deduped from 1.0.7 to process-nextick-args@1.0.7
warning fsevents#tar-pack#readable-stream#string_decoder@~0.10.x could be deduped from 0.10.31 to string_decoder@0.10.31
warning fsevents#tar-pack#readable-stream#util-deprecate@~1.0.1 could be deduped from 1.0.2 to util-deprecate@1.0.2
info Found 30 warnings.
error Found 7 errors.

So I was like, "Wtf does that mean and how do I fix it?"

Not finding an answer to that question, I tried yarn check --integrity:

$ yarn check --integrity
yarn check v0.17.10
error Integrity hashes don't match, expected 0d2d5ed99a323c75f28f927eacdca204a7f608efc8e8c6c51fad33f05a40bc90 but got 126117d25ed334e75dc9d9e850da60dbf3a4503ef90f9a9b8547117c181db872
error Found 1 errors.
info Visit https://yarnpkg.com/en/docs/cli/check for documentation about this command.

Oh, OK. Something's broken, but I have no idea what it is or what to do about it.

Maybe yarn check --integrity --verbose will be more helpful?

$ yarn check --integrity --verbose
yarn check v0.17.10
error Integrity hashes don't match, expected 0d2d5ed99a323c75f28f927eacdca204a7f608efc8e8c6c51fad33f05a40bc90 but got 126117d25ed334e75dc9d9e850da60dbf3a4503ef90f9a9b8547117c181db872
verbose Error: Found 1 errors.
    at Object.<anonymous> (/usr/local/Cellar/yarn/0.17.10/libexec/lib/node_modules/yarn/lib/cli/commands/check.js:179:13)
    at Generator.next (<anonymous>)
    at step (/usr/local/Cellar/yarn/0.17.10/libexec/lib/node_modules/yarn/node_modules/babel-runtime/helpers/asyncToGenerator.js:17:30)
    at /usr/local/Cellar/yarn/0.17.10/libexec/lib/node_modules/yarn/node_modules/babel-runtime/helpers/asyncToGenerator.js:28:13
error Found 1 errors.
info Visit https://yarnpkg.com/en/docs/cli/check for documentation about this command.

😞

What is the expected behavior?

For Yarn to speak plain English and tell me what's going on and how to fix it.

1. First, yarn check and its errors need to give some hint as to how to fix them.
2. Secondly, yarn check --integrity should probably be done by default on every yarn command. Didn't this project say it was supposed to be "secure"? But it's not providing even the most basic level of security (checksum verification) unless a special secret command that I just stumbled upon is run. That's pretty unexpected behavior. The docs make it sound like it does integrity checks by default, but apparently it doesn't.
3. Finally, if something goes wrong, Yarn should tell me what it actually is. I tried searching for the hashes it gave me (both of them) in the yarn.lock file and neither of them was there. WTF. How am I supposed to fix this problem at this point? Yarn should tell me exactly what to do.

Please mention your node.js, yarn and operating system version.

$ npm version
{ npm: '3.10.9',
  ares: '1.10.1-DEV',
  cldr: '30.0.2',
  http_parser: '2.7.0',
  icu: '58.1',
  modules: '51',
  node: '7.2.1',
  openssl: '1.0.2j',
  tz: '2016g',
  unicode: '9.0',
  uv: '1.10.1',
  v8: '5.4.500.44',
  zlib: '1.2.8' }

Mac OS X — 10.11.6.

Yarn v0.17.10. I would have done this with the latest version, v0.18.1, if that version was available on Homebrew, but it is not.

[6zz]

how do I resolve the "could be deduped..." warnings? I can't update the yarn.lock file directly right?

[spacegoing]

same issue here:

 warning "\u001b[2mchokidar#\u001b[22mfsevents#node-pre-gyp@^0.6.29"
 could be deduped from "0.6.32" to "node-pre-gyp@0.6.32"

Would please some body answer:

• What does the word deduped mean?
• Why there are so many rubbish characters in the warning message?
• How to fix this?

[weedgrease]

Would appriciate some answers to the questions asked above!

[bhoule]

The chokidar#fsevents#node-pre-gyp@^0.6.29 could be deduped from 0.6.33 to node-pre-gyp@0.6.33 warning is a result of node-pre-gyp being a bundled dependency of fsevents.

[Ridermansb]

I have an similar issue..

yarn check v0.20.3
error Integrity hashes don't match, expected "132aa146372c295e87a48cc37eec4cad3f21c1f7cff4046cadd5dd3e2b05c1be" but got "bc557edc7b8680dfbad1e2c711bd6dae3e87e057cc5f84a13f671008ed6e2515"
verbose Error: Found 1 errors.
    at MessageError (/Users/ridermansb/.nvm/versions/node/v6.7.0/lib/node_modules/yarn/lib/errors.js:8:5)
    at /Users/ridermansb/.nvm/versions/node/v6.7.0/lib/node_modules/yarn/lib/cli/commands/check.js:167:13
    at next (native)
    at step (/Users/ridermansb/.nvm/versions/node/v6.7.0/lib/node_modules/yarn/node_modules/babel-runtime/helpers/asyncToGenerator.js:17:30)
    at /Users/ridermansb/.nvm/versions/node/v6.7.0/lib/node_modules/yarn/node_modules/babel-runtime/helpers/asyncToGenerator.js:28:13
error Found 1 errors.
info Visit https://yarnpkg.com/en/docs/cli/check for documentation about this command

How can I fix this?

[saarons]

The fix I've been able to find comes from manually editing the yarn.lock file.

Let's say for example you have the following entries:

lodash-es@^4.17.3:
  version "4.17.4"
  resolved "https://registry.yarnpkg.com/lodash-es/-/lodash-es-4.17.4.tgz#dcc1d7552e150a0640073ba9cb31d70f032950e7"

lodash-es@^4.2.1:
  version "4.16.4"
  resolved "https://registry.yarnpkg.com/lodash-es/-/lodash-es-4.16.4.tgz#4dc3e2cf33a8c343028aa7f7e06d1c9697042599"

This can be manually edited down to:

lodash-es@^4.2.1, lodash-es@^4.17.3:
  version "4.17.4"
  resolved "https://registry.yarnpkg.com/lodash-es/-/lodash-es-4.17.4.tgz#dcc1d7552e150a0640073ba9cb31d70f032950e7"

Don't know how it got in this state but running yarn check again comes out clean.

[taoeffect]

Here's how it behaves with the latest 0.23.2 version:

W.T.F.

EDIT: created a separate issue for this related issue: #3242

[Artoria2e5]

@spacegoing Why there are so many rubbish characters in the warning message?

These are ANSI color codes. What kind of terminal are you using here? Is is pre-Windows 10 cmd (old conhost)?

[spacegoing]

@Artoria2e5 I'm using osx's built-in terminal

[bestander]

This are some fair points, we are teaching Yarn proper English a little bit at a time :)

The integrity checks became more silent if they are not actionable and they do run by default when you install.

The warnings warning standard#eslint-config-standard-jsx#eslint@>=3.0.0 could be deduped from 3.12.2 to eslint@3.12.2 I think got fixed in 0.26.

But if they are not please send a PR!

[Subtletree]

Was seeing the same thing:
yarn v0.27.5

yarn check

warning "ember-wormhole#ember-cli-babel@^6.0.0" could be deduped from "6.8.2" to "ember-cli-babel@6.8.2"
warning "ember-ajax#ember-cli-babel@^6.0.0" could be deduped from "6.8.2" to "ember-cli-babel@6.8.2"
warning "ember-chrome-devtools#ember-cli-babel@^6.0.0" could be deduped from "6.8.2" to "ember-cli-babel@6.8.2"
warning "ember-cli-moment-shim#ember-cli-babel@^6.6.0" could be deduped from "6.8.2" to "ember-cli-babel@6.8.2"
warning "ember-cli-qunit#ember-cli-babel@^6.8.1" could be deduped from "6.8.2" to "ember-cli-babel@6.8.2"
... //many more

yarn.lock

ember-cli-babel@^6.0.0, ember-cli-babel@^6.0.0-beta.4, ember-cli-babel@^6.0.0-beta.7, ember-cli-babel@^6.1.0, ember-cli-babel@^6.3.0, ember-cli-babel@^6.4.1, ember-cli-babel@^6.6.0:
  version "6.6.0"
...
ember-cli-babel@^6.7.0:
  version "6.7.1"
...
ember-cli-babel@^6.8.0, ember-cli-babel@^6.8.2:
  version "6.8.2"
...
ember-cli-babel@^6.8.1:
  version "6.8.1"

Ended up having to recreate the lock file which fixed both problems