yarn install (v4) will fail the first time with packages from private registry (artifactory).

[danielplappert]

Self-service

• I'd be willing to implement a fix

Describe the bug

In our project we are currently using yarn v1. We are able to download packages from our private registry (artifactory). Our packages are scoped packages, which means our package.json looks like this:

 ...
 "dependencies": {
    "@mui/icons-material": "^5.9.1",
    "@private/lib1": "1.2.2",
    "@private/lib2": "1.0.2",
 ...

With yarn v1 everything works fine. Now we want to upgrade to yarn v4. We migrated .npmrc to .yarnrc.yml

npmScopes:
  private:
    npmAlwaysAuth: true
    npmRegistryServer: "https://artifactory.company.com/artifactory/api/npm/private-npmjs/"
    npmAuthToken: MY_TOKEN

and also set yarn version to berry. So far so good. But the first time we run

yarn install

yarn failed with the following error:

➤ YN0001: │ Error: @private/lib1@npm:1.2.2: @private/lib1@npm:1.2.2::__archiveUrl=https%3A%2F%2Fartifactory.company.com%3A443%2Fartifactory%2Fapi%2Fnpm%2Fprivate-npmjs%2F%40private%2Flib1%2F-%2F%40private%2Flib1-1.2.2.tgz%23 isn't supported by any available resolver

When we remove our own (private) dependencies

 "dependencies": {
    "@mui/icons-material": "^5.9.1",
 ...

and run yarn install again, yarn is downloading all packages without any error. After the first run of yarn install we can now add our dependencies again:

 ...
 "dependencies": {
    "@mui/icons-material": "^5.9.1",
    "@private/lib1": "1.2.2",
    "@private/lib2": "1.0.2",
 ...

and re-run yarn install. NOW the packages from our private registry are downloaded and installed as well. There are no errors.

It seems, that only the first time we run yarn install there is a problem with installing packages from our registry. The problem is, that this also happens in our gitlab pipelines, which means, we are currently unable to build our app with yarn v4.

To reproduce

Create a project containing packages from a private registry using yarn v1.

Upgrade to yarn v4 as described here: https://yarnpkg.com/migration/guide

After running yarn install, installation will fail. Remove all packages of your private registry in your package.json, and re-run yarn install again. Installation will now succeed. Undo your changes in package.json and run yarn install again.

Environment

System:
  OS: macOS 13.5.1
  CPU: (16) x64 Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz
Binaries:
  Node: 20.9.0 - /private/var/folders/bf/kpd557n94931bg65fm4mw7cm0000gn/T/xfs-246c0f58/node
  Yarn: 4.0.0 - /private/var/folders/bf/kpd557n94931bg65fm4mw7cm0000gn/T/xfs-246c0f58/yarn
  npm: 10.1.0 - /usr/local/bin/npm
  pnpm: 8.10.0 - /usr/local/bin/pnpm

Additional context

No response

[n3m6]

Same issue

[n3m6]

the following .yarnrc.yml file worked for some reason.

enableGlobalCache: true
checksumBehavior: reset
defaultSemverRangePrefix: ""
enableColors: true
enableConstraintsChecks: true
nmHoistingLimits: workspaces
nodeLinker: pnp
preferInteractive: false
yarnPath: .yarn/releases/yarn-4.0.2.cjs
npmRegistries:
  //gitlab.com/api/v4/projects/xxx/packages/npm/:
    npmAlwaysAuth: true
npmScopes:
  private:
    npmRegistryServer: ""
    npmAlwaysAuth: true

I suspect it has to do with nodeLinker, but I"m not sure.

[siosio34]

same issue too

[azeezat]

I deleted the yarn.lock file and installed the dependencies again and that fixed the error.

[yongsk0066]

same issue too

[laliux]

I had a similar issue, yarn v3.6.1, github npm registry. It worked for my .yarnrc.yml :

npmRegistries:
  "https://npm.pkg.github.com":
    npmAlwaysAuth: true
    npmAuthToken: ${NPM_AUTH_TOKEN}

npmScopes:
  myscope:
    npmRegistryServer: https://npm.pkg.github.com

The package.json for my package looks like:

{
  "name": "@myscope/my-package-name",
  "version": "1.0.10",
  "publishConfig": {
    "@myscope:registry": "https://npm.pkg.github.com"
  },
  ...
  "dependencies": {
    "aes-cross": "^1.1.2"
  }
}

[sumasagrp]

when you yarn install with internal repository it seems to create a yarn.local file containing resolution with __archiveURL pointing to that internal repository, when you cleaned and tried without internal repository it creates a yarn.lock file containing resolution but this time without __archiveURL . Howvere this resolution without archiveURL is still able to be used with internal repository .
IMO there should be an override flag to to ignore archiveURL because this issue breaks pipelines where development and build chains have different internal urls.

The fix is to use this sed -i -e "s#https://registry.yarnpkg.com/#{YOUR_CI_REGISTRY}#g" yarn.lock

i believe this used to work sed -i -e "/resolved:* .*$/d" yarn.lock which was cleaner but v4 requires resolution.

Yarn team any suggestions ? Respository such as artifactory might not have the desired url scheme but it would still be nice to have over ride features for users to get around issues like this.

[dnguyentien-lmi]

I deleted the yarn.lock file and installed the dependencies again and that fixed the error.

This fixed it for me. Check if the yarn.lock has been migrated/converted to the new format. If not, then deleting it and re-running yarn install solves it

[scotteratigan]

I faced this issue migrating from yarn 1 to yarn 4 with a private npm server (artifactory). My fix was to first update to yarn 2 with yarn set version 2.x then run yarn install, which updates the lockfile to the new expected format, and then update to yarn 4 with yarn set version berry and then re-run yarn install.

[sankar-gp]

any update on this issue, I'm facing issue with yarn v3