[Bug] checksum mismatch between Windows and non-Windows using npm-based dependency with executable file when building from source

[jhurliman]

• I'd be willing to implement a fix

Describe the bug

It includes the following ingredients:

• A dependency that uses npm (has a package-lock.json) and one or more packaged files with the +x executable bit set
• A dependent project that uses yarn (has a yarn.lock) referencing the dependency using a github: URI or some method that will cause it to package from source
• Attempting to run yarn install on both Windows and a POSIX operating system

POSIX OSes will end up preserving the executable bit during packaging while Windows does not, causing a checksum mismatch.

To Reproduce

I've created a minimal repro of this bug using these two repositories:
https://github.com/jhurliman/yarnpkg-checksum-test
https://github.com/jhurliman/yarnpkg-checksum-test-dep

[arcanis]

Yarn defers to whatever package manager is configured on a project when bundling it for consumption via Git. If the project contains a yarn.lock, it'll be Yarn, but if it contains a package-lock.json, it'll be npm (using npm pack). It seems here the problem is that npm doesn't generate portable archives - and we unfortunately can't really do anything about it 😕

[jaydenseric]

See npm/cli#2846 .

[yarnbot]

Hi! 👋

This issue looks stale, and doesn't feature the reproducible label - which implies that you didn't provide a working reproduction using Sherlock. As a result, it'll be closed in a few days unless a maintainer explicitly vouches for it or you edit your first post to include a formal reproduction (you can use the playground for that).

Note that we require Sherlock reproductions for long-lived issues (rather than standalone git repositories or similar) because we're a small team. Sherlock gives us the ability to check which bugs are still affecting the master branch at any given point, and decreases the amount of code we need to run on our own machines (thus leading to faster bug resolutions). It helps us help you! 😃

If you absolutely cannot reproduce a bug on Sherlock (for example because it's a Windows-only issue), a maintainer will have to manually add the upholded label. Thanks for helping us triaging our repository! 🌟

[IanVS]

It looks like npm no longer stores an integrity string for git dependencies: npm/cli#2846

But, I'm still getting The remote archive doesn't match the expected checksum, even when using npm 8.6.0. I guess that means that the package-lock.json in the target repo needs to be re-generated using a more recent version of npm?