Private github repository returns invalid package version

[vinnymac]

Do you want to request a feature or report a bug?

Bug

What is the current behavior?

I have tested this behavior using the following versions of yarn:

• 1.5.1
• 1.6.0
• 1.9.2

I receive the following output when trying to install my dependency tagged as 0.0.1

> yarn add git+ssh://git@github.com/vinnymac/myprivaterepo.git#0.0.1
yarn add v1.9.2
[1/4] 🔍  Resolving packages...
error Can't add "myprivaterepo": invalid package version undefined.
info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command.

If I try to use other tags, such as one with characters in them or non-semver compliant tags I get a slightly different message.

> yarn add git+ssh://git@github.com/vinnymac/myprivaterepo.git#v2018.07.16
yarn add v1.9.2
[1/4] 🔍  Resolving packages...
error Can't add "myprivaterepo": invalid package version "2018.07.16".
info Visit https://yarnpkg.com/en/docs/cli/add for documentation about this command.

Trying to regenerate my yarn.lock file results in the same message above.

If I attempt to see if yarn can list my dependency using version 1.9.2 I see this

yarn list | grep myprivaterepo
├─ myprivaterepo@2018.7.16

The lockfile shows my dependency as it was generated by 1.3.2 as the following

"myprivaterepo@git+ssh://git@github.com/vinnymac/myprivaterepo.git#v2018.07.16":
  version "2018.7.16"
  resolved "git+ssh://git@github.com/vinnymac/myprivaterepo.git#60f0759d54cc7ddf9d4c5d55a8de3bbb71cff9e7"
  dependencies:
    chalk "^2.4.1"
    cors "^2.8.4"
    express "^4.16.3"
    http-proxy-middleware "^0.18.0"
    inquirer "^5.2.0"
    node-sass-utils "^1.1.2"
    request "^2.87.0"
    semver "^5.5.0"
    underscore.string "^3.3.4"
    url-regex "^4.1.1"

If the current behavior is a bug, please provide the steps to reproduce.

This is a private repository, otherwise I would share it with you. If you have access to private repositories you can try to create tags identical to the ones above, and see if it works the same for you. Maybe even adding the dependencies I do will help. If you have recommendations for what I can do to more easily create a reproduction, I am open to trying anything.

What is the expected behavior?

I have tested that the expected behavior functions properly using the following versions of yarn:

• 0.24.6
• 1.1.0
• 1.2.1
• 1.3.2

On these versions of yarn, it finds the package version and installs the dependencies as I would expect. The dependency is added to my yarn.lock file and I currently am using 1.3.2 until I find another version that suites my needs.

Please mention your node.js, yarn and operating system version.

System Details

NodeJS - v8.11.1 (I've tested v7 and v6 as well)
Yarn - v1.9.2
macOS - 10.13.6

I have been able to reproduce this on more than one machine, I attempted 5 different machines, all were running 10.13 variants.

If this is a duplicate issue, I apologize as I tried to search through and see if anyone had anything similar posted, but could not find one.

[rally25rs]

I think the "version" it is complaining about is from package.json. Does your repo contain a package.json that has the version field?

[vinnymac]

@rally25rs looks like that is indeed what it is referring to.

For tag 0.0.1 my version is missing from the package.json, so that explains the undefined.

For tag v2018.07.16 my version in package.json is

"version": "2018.07.16",

Why does it say that 2018.07.16 is an invalid package version?
Do the tags and version need to be identical for yarn to function properly?
I can attempt that and see what happens.

EDIT:

So it looks like they don't need to be identical, but they have to be semver? I tried

> yarn add git+ssh://git@github.com/vinnymac/myprivaterepo.git#v0.8.0

and it installed version myprivaterepo@0.8.0 where the package.json version was 0.8.0 using v1.9.2 of yarn.

[rally25rs]

Ah, so it looks like official semver doesn't consider 07 to be valid.

According to npm's semver package:

~/Projects/yarn-test 🐒   yarn add semver
yarn add v1.7.0
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
[4/4] 📃  Building fresh packages...
success Saved lockfile.
success Saved 1 new dependency.
info Direct dependencies
└─ semver@5.5.0
info All dependencies
└─ semver@5.5.0
✨  Done in 0.79s.

~/Projects/yarn-test 🐒   node
> const s = require('semver')
undefined
> s.valid('2018.07.16')
null
> s.valid('2018.7.16')
'2018.7.16'

This is what is leading to the message

invalid package version "2018.07.16".

[vinnymac]

I think the following improvements could be made to yarn in that case.

1. For the tag 0.0.1 it could have instead said could not find field 'version' in package.json, which is much clearer in my opinion.
2. For non-semver versions, I think it would be a worthwhile improvement to state somewhere in the docs that only semver versions are supported. If you attempt to use a non-semver version, it could instead say why it is an invalid package version.
3. Installing dependencies with non-semver versions in NPM work fine, so it is a bummer that it stopped working here.

As a side note this appears to be related to npm/node-semver#232

[lieutenantken]

@vinnymac You are a god or at least a lower deity for discovering that package.json requirement for version! THANK YOU

[ltfschoen]

I'm using yarn v1.22.4.
I tried to modify a dependency of my repo here https://github.com/DataHighway-DHX/faucet/blob/master/package.json#L21 to be a branch of another Github repo by changing it to "@truffle/hdwallet-provider": "git://github.com/ltfschoen/truffle.git#14.0.6", and alternative I also tried running yarn add git://github.com/ltfschoen/truffle.git#14.0.6. I tried replacing #14.0.6with#v14.0.6andmasteranddevelop` (branches), but all return output:

error Couldn't find match for "14.0.6" in "refs/heads/alphaTez, ... refs/tags/@truffle/hdwallet-provider@1.0.36, ..."

But if I then run instead yarn add git://github.com/ltfschoen/truffle.git#refs/tags/@truffle/hdwallet-provider@1.0.36, it fails with the same error.
Note that @truffle/hdwallet-provider is a package within the https://github.com/ltfschoen/truffle repository (i.e. https://github.com/ltfschoen/truffle/blob/develop/packages/hdwallet-provider/package.json)

[augnustin]

Fixed this issue by adding #master at the end of the git URL.

[yaizudamashii]

I see this issue with valid semver
"google-caja-bower": "https://github.com/acburdine/google-caja-bower#ghost",

and the project's package.json's version is "6011.0.0"

[rally25rs]

@yaizudamashii I do not get an error when using that github reference as a dependency.

~/Projects/yarn-test 🐒   cat package.json
{
  "name": "yarn-test",
  "version": "1.0.0",
  "main": "index.js",
  "license": "MIT",
  "dependencies": {
    "google-caja-bower": "https://github.com/acburdine/google-caja-bower#ghost"
  }
}

~/Projects/yarn-test 🐒   yarn install
yarn install v1.22.5
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
[4/4] 🔨  Building fresh packages...

✨  Done in 0.07s.

~/Projects/yarn-test 🐒   ls node_modules/
google-caja-bower

[rally25rs]

Closing this issue as the original cause was found to be a missing version in package.json, or a version whose value is not valid according to the semver library.