@isaacs/nested-yarn-lock-test
Advanced tools
This is an example case showing that a `yarn.lock` file does not guarantee package resolutions at all levels.
This is an example case showing that a yarn.lock file does not guarantee
package resolutions at all levels.
root (x@1.x, y@1.x, z@1.x) <-- 1.x dep here
+-- x 1.2.0 <-- 1.x resolves to 1.2.0
+-- y (x@1.1, z@2.x)
| +-- x 1.1.0 <-- 1.x resolves to 1.1.0
| +-- z 2.0.0 (x@1.x) <-- 1.x dep here
+-- z 1.0.0
Both Yarn and npm create the same folder structure in node_modules, which
is good. But the yarn.lock file indicates that x@1.x should resolve to
version 1.2.0, and z@2.0.0's dependency on x@1.x resolves to 1.1.0
instead.
Conclusion: yarn.lock on its own does not guarantee resolutions or
deterministic builds. That part of the contract is provided by the
implementation of Yarn itself, not in the lockfile format.
FAQs
This is an example case showing that a `yarn.lock` file does not guarantee package resolutions at all levels.
We found that @isaacs/nested-yarn-lock-test demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
A malicious Chrome extension steals newly created MEXC API keys, exfiltrates them to Telegram, and enables full account takeover with trading and withdrawal rights.
Security News
CVE disclosures hit a record 48,185 in 2025, driven largely by vulnerabilities in third-party WordPress plugins.
Security News
Socket CEO Feross Aboukhadijeh joins Insecure Agents to discuss CVE remediation and why supply chain attacks require a different security approach.