This behavior does carry it’s own shortcoming though; It means that Yarn still needs to download the metadata for all dependencies in all install types.
This was a core feature that Facebook added from the outset that enabled them to keep their CI servers safely in-house and not on the public internet, and still be able to “yarn install” dependencies.
The lockfile will contain an exact commit hash for the “master” branch at the time of the install: you will get that exact commit back because the lockfile still exists.
If you delete the lockfile and reinstall you will get the latest “master” commit, but you will also get all of your other dependencies upgraded since the lockfile won’t be there to lock them to a specific version.
Since starting down that path, I feel like something in NPM5 has fought me the entire way…
In the end, I’m now regretting that choice and thinking I should have just introduced Yarn sooner. NPM5 brought a huge improvement to speed (about 2x as fast) over NPM3 which was horribly slow.