`bundledDependencies` attempted to be fetched from npm instead

Do you want to request a feature or report a bug?

What is the current behavior?
A package being installed from the NPM registry with bundled dependencies will look for the bundled dependencies on NPM registry instead of using the bundled versions. If modules don’t exist on the npm registry, the install fails saying

error Couldn't find package "bundled-package@*" required by "installing-package@x.x.x" on the "npm" registry.

If the current behavior is a bug, please provide the steps to reproduce.

yarn add win-bt

This is my module that I’ve published to npm, it uses bundled dependencies for some windows specific features, so unfortunately this will only work on windows. There are some other prerequisites that are necessary for a full successful install, but it doesn’t get to any of those before this bundled dependencies error so it shouldn’t be an issue. Alternately, you could potentially use some other module that has bundled dependencies on npm, I just don’t know of any specifically that do. Regardless, all you have to do is yarn add like so and the error shows up.

What is the expected behavior?
Expected to fetch the module and use the dependencies bundled therein instead of looking on NPM for them.

Please mention your node.js, yarn and operating system version.
node:8.9.1 yarn:1.5.1 and 1.7.0 os: Windows 10 v1803 (build 17134.48)

Author: Fantashit

6 thoughts on “`bundledDependencies` attempted to be fetched from npm instead

  1. For what it’s worth, this bug seems to be the direct cause of twilio/flex-plugin-builder#2. @twilio/flex-ui bundles a dependency on @twilio/frame-ui, which Yarn fails to handle. It goes looking for it on NPM, where it is a private package, which causes Yarn to abort the install.

    Similar to the described scenario, only Yarn encounters an authentication error, not a not found error.

  2. Want to chime in on this as well, as I really think it should be fixed / is a bug. As of this comment I’m using yarn@1.19.1.

    Similar to @sambostock‘s scenario above with @twilio/flex-ui bundling a private dependency of @twilio/frame-ui, I also have a project that includes packages that include private bundled dependencies. The behavior is exactly the same – yarn attempts to fetch these bundled dependencies from the registry, but they won’t be there (by design).

    Considering these are officially documented dependency types for both npm and yarn, I would think these “private bundled dependency” scenarios would be supported.

    For any yarn core members that may read this, would a PR be considered here, or is more discussion required?

  3. So I think I might attempt a PR for this soon (unless someone else gets to it first). Unfortunately it’s a little more complicated than just “if bundled, skip!” when resolving and installing dependencies.

    For the first pass I think the following might work:

    1. Identify/label a dependency as “bundled” with its parent.
      Similar to optional dependencies, may need to pass around information that a dependency is “bundled” with its parent for use in other parts of the yarn lifecycle.
    2. If bundled, don’t attempt to download/fetch/request the dependency.
      Not sure if there needs to be some “validation” of the bundled version, or if that’s assumed to be taken care of when the parent dependency was packaged.
    3. Continue to try and resolve and fetch the bundled dependency’s dependencies.

    If anyone has more insight or feedback please let me know – thanks!

    I could also probably look at how npm implements bundled dependency resolution…but I think my head will explode if I try to go look through that code right now 😞

    FYI also made sure this wasn’t already fixed in yarn v2/”berry”, and doesn’t seem to be:

    ➤ YN0001: │ HTTPError: @twilio/frame-ui@npm:^0.36.1: Response code 404 (Not Found)
        at EventEmitter.<anonymous> (/development/yarn/.yarn/releases/yarn-berry.js:360:59866)
        at runMicrotasks (<anonymous>)
        at processTicksAndRejections (internal/process/task_queues.js:93:5)
  4. Not sure if this is still being looked at, but I want to share my use-case (and as of recently, I believe many others):
    So I’m working with kotlin/js libraries. Since main publishing flow used by the technology is maven repos, there are a lot of popular kotlin/js packages that are not getting published to npm (even some core stdlib packages). So having bundledDependencies working properly would allow me to ship my compiled kotlin/js library as normal js package with all kotlin-specific dependencies bundled within the package (since they do not exist on npm)

Comments are closed.