Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve handling of missing integrity hashes in package-lock.json #245439

Open
mweinelt opened this issue Jul 25, 2023 · 1 comment
Open

Improve handling of missing integrity hashes in package-lock.json #245439

mweinelt opened this issue Jul 25, 2023 · 1 comment
Labels
0.kind: enhancement Add something new

Comments

@mweinelt
Copy link
Member

Problem

Due to what is probably a bug in npm¹, lots of package-lock.json files lack the resolved URLs as well as integrity hashes for packages pinned in it.

This creates a problem for our current npm build infrastructure, that relies on a cache-only policy to ensure reproducibility.

Reproducer

One example² that breaks on this scenario is bokehjs, the javascript bits of bokeh:

bokehjs> npm ERR! code ENOTCACHED
bokehjs> npm ERR! request to https://registry.npmjs.org/p-map failed: cache mode is 'only-if-cached' but no cached response is available.

This can be reproduced by building python3.pkgs.bokeh.bokehjs in #215406.

Prior art

With the rust fetcher there is an issue, where cargo lock files don't contain hashes for git dependencies. In that case hashes will be embedded into the derivation in an attribute set cargoLock.outputHashes that maps from <package>-<version> to hash.

Something similar could be implemented for the npm fetcher.

[1] npm/cli#4460
[2] https://github.com/bokeh/bokeh/blob/91f0c3c9b04da751094642790511593fae41533d/bokehjs/package-lock.json#L101-L114

@felschr
Copy link
Member

felschr commented Oct 16, 2023

Additional related upstream issues: npm/cli#4263 npm/cli#6301

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0.kind: enhancement Add something new
Projects
Status: Todo
Development

No branches or pull requests

2 participants