Checksum inconsistencies with Yarn 3.5 and TypeScript 5 across different OS

[naXa777]

Hello everyone,

I am facing an issue while using Yarn 3.5 with TypeScript 5.0.4. I've noticed that the checksum calculated by Yarn for TypeScript patch (compat/typescript) varies depending on the operating system where yarn install is executed. Here is an example:

"typescript@patch:[email protected]#~builtin<compat/typescript>":
  version: 5.0.4
  resolution: "typescript@patch:typescript@npm%3A5.0.4#~builtin<compat/typescript>::version=5.0.4&hash=ad5954"
  bin:
    tsc: bin/tsc
 tsserver: bin/tsserver
 languageName: node
 linkType: hard

On Mac yarn auto-generates the following line:
checksum: 6a1fe9a77bb9c5176ead919cc4a1499ee63e46b4e05bf667079f11bf3a8f7887f135aa72460a4c3b016e6e6bb65a822cb8689a6d86cbfe92d22cc9f501f09213

On Windows yarn auto-generates the following line:
checksum: bb309d320c59a26565fb3793dba550576ab861018ff3fd1b7fccabbe46ae4a35546bc45f342c0a0b6f265c801ccdf64ffd68f548f117ceb7f0eac4b805cd52a9

But if I commit the changed yarn.lock file to Github and run CI/CD pipeline on Linux, the build fails with error:

➤ YN0000: ┌ Post-resolution validation
➤ YN0000: │ @@ -21402,13 +21402,12 @@
➤ YN0000: │    linkType: hard
➤ YN0000: │  
➤ YN0000: │  "typescript@patch:[email protected]#~builtin<compat/typescript>":
➤ YN0000: │    version: 5.0.4
➤ YN0028: │ -  resolution: "typescript@patch:typescript@npm%3A5.0.4#~builtin<compat/typescript>::version=5.0.4&hash=ad5954"
➤ YN0028: │ +  resolution: "typescript@patch:typescript@npm%3A5.0.4#~builtin<compat/typescript>::version=5.0.4&hash=85af82"
➤ YN0000: │    bin:
➤ YN0000: │      tsc: bin/tsc
➤ YN0000: │      tsserver: bin/tsserver
➤ YN0028: │ -  checksum: 6a1fe9a77bb9c5176ead919cc4a1499ee63e46b4e05bf667079f11bf3a8f7887f135aa72460a4c3b016e6e6bb65a822cb8689a6d86cbfe92d22cc9f501f09213
➤ YN0000: │    languageName: node
➤ YN0000: │    linkType: hard
➤ YN0000: │  
➤ YN0000: │  "uglify-es@npm:^3.3.4":
➤ YN0000: │ 
➤ YN0028: │ The lockfile would have been modified by this install, which is explicitly forbidden.
➤ YN0000: └ Completed
➤ YN0000: Failed with errors in 0s 832ms

This is causing a bit of a pain point, as I have to manually remove the checksum each time. I'm aware that the checksum is used for ensuring the integrity of the package, but in this scenario, it seems to create more problems than it solves.

So far, I have not found a way to prevent Yarn from adding the checksum to the lock file. Online search shows that the issue may be related to:

• yarn plugin-compat https://www.yarnpkg.cn/api/modules/plugin_compat.html
• yarn pack yarn pack produces slightly different .tgz files on different operating systems #2774

However, I don't see any solutions for my case.

I was wondering if anyone else has encountered this issue and if there are any recommended solutions or workarounds. Is there a way to disable the checksum addition for this specific scenario?

Any help would be greatly appreciated! Thank you.

[markwellis]

I have the same problem.

The yarn.lock was created on macos, and the install is on linux (node:18 docker image)

yarn --version
3.6.3

yarn install --immutable error:

➤ YN0000: ┌ Post-resolution validation
➤ YN0000: │ @@ -30512,23 +30512,21 @@
➤ YN0000: │    linkType: hard
➤ YN0000: │  
➤ YN0000: │  "typescript@patch:[email protected]#~builtin<compat/typescript>":
➤ YN0000: │    version: 4.8.3
➤ YN0028: │ -  resolution: "typescript@patch:typescript@npm%3A4.8.3#~builtin<compat/typescript>::version=4.8.3&hash=aae4e6"
➤ YN0028: │ +  resolution: "typescript@patch:typescript@npm%3A4.8.3#~builtin<compat/typescript>::version=4.8.3&hash=3b564f"
➤ YN0000: │    bin:
➤ YN0000: │      tsc: bin/tsc
➤ YN0000: │      tsserver: bin/tsserver
➤ YN0028: │ -  checksum: 2222d2382fb3146089b1d27ce2b55e9d1f99cc64118f1aba75809b693b856c5d3c324f052f60c75b577947fc538bc1c27bad0eb76cbdba9a63a253489504ba7e
➤ YN0000: │    languageName: node
➤ YN0000: │    linkType: hard
➤ YN0000: │  
➤ YN0000: │  "typescript@patch:[email protected]#~builtin<compat/typescript>":
➤ YN0000: │    version: 5.0.4
➤ YN0028: │ -  resolution: "typescript@patch:typescript@npm%3A5.0.4#~builtin<compat/typescript>::version=5.0.4&hash=d73830"
➤ YN0028: │ +  resolution: "typescript@patch:typescript@npm%3A5.0.4#~builtin<compat/typescript>::version=5.0.4&hash=b5f058"
➤ YN0000: │    bin:
➤ YN0000: │      tsc: bin/tsc
➤ YN0000: │      tsserver: bin/tsserver
➤ YN0028: │ -  checksum: 6a1fe9a77bb9c5176ead919cc4a1499ee63e46b4e05bf667079f11bf3a8f7887f135aa72460a4c3b016e6e6bb65a822cb8689a6d86cbfe92d22cc9f501f09213
➤ YN0000: │    languageName: node
➤ YN0000: │    linkType: hard
➤ YN0000: │  
➤ YN0000: │  "typescript@patch:typescript@^3.9.6#~builtin<compat/typescript>":
➤ YN0000: │ 
➤ YN0028: │ The lockfile would have been modified by this install, which is explicitly forbidden.
➤ YN0000: └ Completed
➤ YN0000: Failed with errors in 0s 643ms

git diff yarn.lock after running yarn install without --immutable arg

diff --git a/yarn.lock b/yarn.lock
index 5c5f56f3e..f2b166cb9 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -30513,21 +30513,21 @@ __metadata:
 
 "typescript@patch:[email protected]#~builtin<compat/typescript>":
   version: 4.8.3
-  resolution: "typescript@patch:typescript@npm%3A4.8.3#~builtin<compat/typescript>::version=4.8.3&hash=aae4e6"
+  resolution: "typescript@patch:typescript@npm%3A4.8.3#~builtin<compat/typescript>::version=4.8.3&hash=3b564f"
   bin:
     tsc: bin/tsc
     tsserver: bin/tsserver
-  checksum: 2222d2382fb3146089b1d27ce2b55e9d1f99cc64118f1aba75809b693b856c5d3c324f052f60c75b577947fc538bc1c27bad0eb76cbdba9a63a253489504ba7e
+  checksum: dfe2ee3b9da1d74b9e06784ae90c20c435db9ad6ab23172911f6cdbfd7ab7213ae3611c4254c5a2c6dc2e89f05a658b95493890bf62d218267033b3d8a2e4dd6
   languageName: node
   linkType: hard
 
 "typescript@patch:[email protected]#~builtin<compat/typescript>":
   version: 5.0.4
-  resolution: "typescript@patch:typescript@npm%3A5.0.4#~builtin<compat/typescript>::version=5.0.4&hash=d73830"
+  resolution: "typescript@patch:typescript@npm%3A5.0.4#~builtin<compat/typescript>::version=5.0.4&hash=b5f058"
   bin:
     tsc: bin/tsc
     tsserver: bin/tsserver
-  checksum: 6a1fe9a77bb9c5176ead919cc4a1499ee63e46b4e05bf667079f11bf3a8f7887f135aa72460a4c3b016e6e6bb65a822cb8689a6d86cbfe92d22cc9f501f09213
+  checksum: d26b6ba97b6d163c55dbdffd9bbb4c211667ebebc743accfeb2c8c0154aace7afd097b51165a72a5bad2cf65a4612259344ff60f8e642362aa1695c760d303ac
   languageName: node
   linkType: hard

[DavidMakin]

was the yarn.lock created with a different version of yarn? Check if there is an older version mentioned in a .yarnrc.yml or package.json file

[abdavid]

Experiencing the same issue I am however using Yarn 4.5.3 which is pinned in .yarnrc.yml for all devs and pipelines.

Running yarn install locally will produce a delta that my Gitlab.pipeline running alpine node will try to change. Runner caches have been cleared to try and alleviate the issue to no avail.

Locally I have recreated the lock file, cleared caches etc but it seems to be a consistent behaviour between my dev machine and pipeline.

I have also confirmed that the compressionLevel is the same for all configurations (as there is a bug report mentioning checksum mismatches when compressionLevel is different between configurations)

I am currently stumped :/

$ yarn --immutable
➤ YN0000: · Yarn 4.5.3
...
Post-resolution validation
00:00
➤ YN0028: -  resolution: "typescript@patch:typescript@npm%3A5.7.2#optional!builtin<compat/typescript>::version=5.7.2&hash=8c6c40"
➤ YN0028: +  resolution: "typescript@patch:typescript@npm%3A5.7.2#optional!builtin<compat/typescript>::version=5.7.2&hash=5786d5"
➤ YN0028: -  checksum: 10c1/bdf5ab9323d77364de0a7169f77a209110c2e74587eabaf403139a93873bea010fc93f211ae9376fbf8e9bf69ccfaf180b0e5f7bd9a566e26bafc344e320645c
➤ YN0028: The lockfile would have been modified by this install, which is explicitly forbidden.

[GarrettSYHampton]

Getting the same error/issue here. Every deploy has a different hash, causing our CI/CD to fail deployments. Also stumped.