Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mastodon package will break on next release due to change to yarn lockfile v2 #277697

Open
Eisfunke opened this issue Dec 30, 2023 · 5 comments
Open

Mastodon package will break on next release due to change to yarn lockfile v2 #277697

Eisfunke opened this issue Dec 30, 2023 · 5 comments
Labels
0.kind: bug

Comments

@Eisfunke
Copy link
Contributor

Describe the bug

Mastodon now uses yarn lockfile v2 on the main branch (see here). The current release 4.2.3 still uses a v1 lockfile (see here).

v2 lockfiles aren't supported yet by fetchYarnDeps, which is used in the Mastodon package, see issue #254369.

So, on the next release, which will probably distribute the new v2 lockfile, the package including its update script (it uses prefetch-yarn-deps which doesn't support the new lockfiles either) will break.

I noticed this because I use a copy of the package on glitch-soc, which doesn't have releases and also started to use the new lockfiles, therefore I couldn't update.

I thought I should open an issue to give a heads-up, so we won't be hit unexpectedly on the next release.

Notify maintainers

@happy-river
@erictapen
@Izorkin
@ghuntley

Add a 👍 reaction to issues you find important.
@NotNite
Copy link

NotNite commented Feb 1, 2024

This is much more worrying now that a critical Mastodon security advisory has been released: GHSA-3fjr-858r-92rw

@Eisfunke
Copy link
Contributor Author

Eisfunke commented Feb 1, 2024

This is much more worrying now that a critical Mastodon security advisory has been released: GHSA-3fjr-858r-92rw

I thought so too at first, but it's fine.

The security patch has been backported to the stable 4.2 branch, which still has the old lockfile, so there's no problem there. Indeed someone has already committed the latest stable version 4.2.5 with the security fix:

48bc814

So this issue still just a blocker for updating to 4.3 once that's released.

@NotNite
Copy link

NotNite commented Feb 1, 2024

Uh... what do I do if I'm on a commit that is 4.3 branch but before yarn 2? 😅

@Eisfunke
Copy link
Contributor Author

Eisfunke commented Feb 1, 2024

Well, uh, that's a little more complicated then.

You could either create a patch file with the fix and only the fix and apply that via patches in an override. The actual fix commit is quite small, so that should work without bigger problems.

Or you could use a workaround the lockfile problem itself., which isn't that hard, but requires some custom copy-pasted-and-modified code. E.g. you can take a look at what I did for my glitch-soc package here. I stole that fix mostly from here.

I hope that helps somewhat :)

@NotNite
Copy link

NotNite commented Feb 2, 2024

You're a lifesaver! I went with the lockfile workaround, and after crashing WSL twice (lol) I've been able to deploy the latest commit of Chuckya (a glitch-soc fork) for my instance. Of course, I'm treating this as a temporary hack. Thank you so much!

@999eagle 999eagle mentioned this issue Feb 2, 2024
Closed
@vindard vindard mentioned this issue Apr 23, 2024
Closed
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Eisfunke @NotNite