Self-service
Describe the bug
Analysing some yarn.lock files from popular projects: hedgedoc, mastodon, grafana — They all contain entries without a checksum: field in their yarn.lock files. These correspond exactly with the entries which have a conditions: field.
I wonder why these entries don't need a checksum, or whether this is a intended at all.
To reproduce
$ mkdir new
$ cd new
$ yarn init
$ yarn add rollup
$ yq 'map_values(.checksum)' yarn.lock | grep null
__metadata: null
"@rollup/rollup-android-arm-eabi@npm:4.39.0": null
"@rollup/rollup-android-arm64@npm:4.39.0": null
"@rollup/rollup-darwin-arm64@npm:4.39.0": null
"@rollup/rollup-darwin-x64@npm:4.39.0": null
"@rollup/rollup-freebsd-arm64@npm:4.39.0": null
"@rollup/rollup-freebsd-x64@npm:4.39.0": null
"@rollup/rollup-linux-arm-gnueabihf@npm:4.39.0": null
"@rollup/rollup-linux-arm-musleabihf@npm:4.39.0": null
"@rollup/rollup-linux-arm64-gnu@npm:4.39.0": null
"@rollup/rollup-linux-arm64-musl@npm:4.39.0": null
"@rollup/rollup-linux-loongarch64-gnu@npm:4.39.0": null
"@rollup/rollup-linux-powerpc64le-gnu@npm:4.39.0": null
"@rollup/rollup-linux-riscv64-gnu@npm:4.39.0": null
"@rollup/rollup-linux-riscv64-musl@npm:4.39.0": null
"@rollup/rollup-linux-s390x-gnu@npm:4.39.0": null
"@rollup/rollup-linux-x64-gnu@npm:4.39.0": null
"@rollup/rollup-linux-x64-musl@npm:4.39.0": null
"@rollup/rollup-win32-arm64-msvc@npm:4.39.0": null
"@rollup/rollup-win32-ia32-msvc@npm:4.39.0": null
"@rollup/rollup-win32-x64-msvc@npm:4.39.0": null
"fsevents@patch:fsevents@npm%3A~2.3.2#optional!builtin<compat/fsevents>": null
"new@workspace:.": null
$
I would expect the @rollup/* npm dependencies to have checksums
Environment
System:
OS: Linux 6.13 cpe:/o:nixos:nixos:25.05 25.05 (Warbler)
CPU: (10) arm64 unknown
Binaries:
Node: 22.14.0 - /tmp/xfs-939393f9/node
Yarn: 4.8.0 - /tmp/xfs-939393f9/yarn
npm: 10.9.2 - /etc/profiles/per-user/yuka/bin/npmAdditional context
No response
Self-service
Describe the bug
Analysing some yarn.lock files from popular projects: hedgedoc, mastodon, grafana — They all contain entries without a
checksum:field in their yarn.lock files. These correspond exactly with the entries which have aconditions:field.I wonder why these entries don't need a checksum, or whether this is a intended at all.
To reproduce
I would expect the
@rollup/*npm dependencies to have checksumsEnvironment
System: OS: Linux 6.13 cpe:/o:nixos:nixos:25.05 25.05 (Warbler) CPU: (10) arm64 unknown Binaries: Node: 22.14.0 - /tmp/xfs-939393f9/node Yarn: 4.8.0 - /tmp/xfs-939393f9/yarn npm: 10.9.2 - /etc/profiles/per-user/yuka/bin/npmAdditional context
No response