How to know the version of currently installed package from yarn.lock
Solution 1
I found out that yarn whyis the best way to find out the currently installed version of a package (Thanks to one of my colleague who point out to me). This is how my test code looks in the JavaScript.
const { spawnSync } = require('child_process');
const packageName = 'micromatch';
const whyBuffer = spawnSync('yarn', ['why', packageName]);
const grepBuffer = spawnSync('grep', ['Found'], { input: whyBuffer.stdout });
const outputArray = grepBuffer.stdout.toString().split('\n');
console.log(outputArray); // ['info \r=> Found "[email protected]"', 'info \r=> Found "fast-glob#[email protected]"', '' ]
const parsedOutputArray = outputArray.filter(output => output.length > 0).map((output) => output.split('@')[1].replace('"', ''))
console.log(parsedOutputArray); // [ '3.1.10', '4.0.2' ]
Solution 2
Since, you know the name of the package, do this:
yarn list --pattern <package_name>
The above command will get you all installed versions of a package at any depth. For example, I have different versions of camelcase library installed at various depths. On running the command : yarn list --pattern "camelcase", this is the output:
yarn list v1.22.5
├─ [email protected]
└─ [email protected]
└─ [email protected]
Solution 3
npm list --depth=0 is 1000x faster than yarn why <each package>.
It also tells you about extraneous dependencies, unmet peer deps, etc, but the output is very clean - still cleaner than yarn why
Solution 4
For programmatic use, I like yarn list:
yarn list --pattern lodash --depth=0 --json --non-interactive --no-progress | jq -r '.data.trees[].name'
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
For even better programmatic use: https://www.npmjs.com/package/@yarnpkg/lockfile
Comments
-
0xC0DED00D over 2 years
I am writing an internal tool which compares the version installed in a project and only allow certain version to be passed. For that I have to check the version which is resolved in the
yarn.lockfile, as package.json file has a semver range, not specific version and it doesn't tell you the dependency of the dependency anyway.I tried using
yarn listcommand, but it prints the semver range too and is very hard to parse (even with--jsonoption). Soyarn.lockseems like the only way. I know thatyarn.lockmay have separate versions of the same package and in that case I want only the version which is installed in. thenode_nodules(must be just one of them). I have no idea how to parse the lockfile though.Another way I could think of is actually going into
node_modulesfolder and checking the version in thepackage.jsonof the package.None of the above option looks clean to me. Is there any way I can know the resolved version of a specific package (provided I know the name of the package and I know that it's installed) easily and as cleanly as possible?
Update:
I actually wanted all the versions of the installed package (even if they're really deep in the dependency tree). -
0xC0DED00D about 3 yearsI guess the pattern value needs to be a regex string. I checked with
reactand it listed all the packages having react in their name. -
ivandz almost 3 yearsThe answer works for me but could be improved by handling scoped packages cases (when package name starts with
@):output.split('@')[1]here use the last element of array but not the second. -
0xC0DED00D over 2 yearsThere's already an answer with the same solution. How's that any better? Additionally, if I wanted to know about just the lodash package, I'll have to add another filter for it.
-
0xC0DED00D over 2 yearsHow can you be so sure that it's 1000x faster? Is there any benchmark? Moreover, I am not interested in depth 0 deps only. Moreover, I don't want to know about every package. I just wanna know if a given package is installed or not, if it is, what's the installed version. Parsing the entire list seems slower than just using
yarn why. -
0xC0DED00D over 2 yearsOne additional point is that I am using yarn as the package manager, not npm. When using
npm listwithoutpackage-lock.jsonI received a lot of errors for missing deps. -
Piotr over 2 yearswhat '-A' is for?
-
Noah Allen over 2 yearsThe -A flag stands for —all: “Print versions of a package from the whole project.” I believe this would help if you had a monorepo and just wanted to run yarn info from the root directory. -
Nathan Adams about 2 years@noob this also adds some useful options
-
Time Killer about 2 yearsyou want the fastest, why notcat package.json | jq -r '.dependencies.pckname' -
0xC0DED00D about 2 years@TimeKiller It doesn't tell you the exact version of installed package. Also it doesn't tell you anything about transitive dependencies.
