yarn install unexpectedly updates git repos and changes yarn.lock

[adamchainz]

Do you want to request a feature or report a bug?

Bug

What is the current behavior?

As reported on #570, plain yarn install can fetch new versions of git-branch-based dependencies and update yarn.lock, even though yarn.lock already locked them at a particular commit SHA and package.json hasn't changed. This changes the contents of node_modules compared to the yarn install that generated the yarn.lock. The only workaround is to always install with --pure-lockfile.

If the current behavior is a bug, please provide the steps to reproduce.

Sorry I'm not great with this stuff. I think you'd have to make a test git repo as a dependency to some local package, and push commits to it after a first yarn install generates yarn.lock.

What is the expected behavior?

yarn install should just install the locked commit from yarn.lock and not even check the git branch.

Please mention your node.js, yarn and operating system version.

$ node --version
v6.9.1
$ yarn --version
0.16.1
$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 14.04.4 LTS
Release:	14.04
Codename:	trusty