The lockfile will contain an exact commit hash for the “master” branch at the time of the install: you will get that exact commit back because the lockfile still exists.
If you delete the lockfile and reinstall you will get the latest “master” commit, but you will also get all of your other dependencies upgraded since the lockfile won’t be there to lock them to a specific version.
I also filed an NPM issue for that here and am awaiting comment: non-deterministic due to optional Dependencies Yarn always includes all dependencies (and dev Dependencies and optional Dependencies) in the “yarn.lock” file, whether they were installed or not.
This is to provide the ability of performing a true deterministic install.
One of the interesting key features of Yarn is the “Offline mirror”.
This is intended to enable you to commit the downloaded gz packages along with your code.
This was a core feature that Facebook added from the outset that enabled them to keep their CI servers safely in-house and not on the public internet, and still be able to “yarn install” dependencies.At the time this felt like the right move for the team as a balance between new features (lock file!) and not having to learn anything new (everyone already knows how to NPM).(I do think “NPM publish” for publishing new packages does work much better than Yarn at the moment).Yarn actually had the same problem for a while; the first time I tried Yarn, there were no less than 3 issues that prevented me from actually using it (and that is why I stayed on NPM 3 for a while, and eventually gave NPM 5 a shot). NPM is now at 5.2.1 and some basic things still prevent me from using it (especially the lockfile changing between installs of the same packages and between devs on the team).