-
-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: github.com
packages not supported
#166
Comments
Thanks for the issue. I ran into this as well and we should resolve for 1.0. |
Hmm. That is unfortunate that there is no integrity SHA provided for these URLs.
yarn doesn't either in its lockfile
Presumably this is because a consistent SHA is not guaranteed over time. Without a SHA, the downloaded archives won't go into the external repository cache but they shouldn't anyway if their SHA is not guaranteed to be consistent. |
Ah yeah, makes sense. So short term just (unfortunately) not caching it makes sense, but long term maybe it's worthwhile to add a dictionary for sha's to the I appreciate the call-out though, as I'd like to raise this with our teams as it feels like a big code-audit hole. |
Cut a release which includes the fix https://github.com/aspect-build/rules_js/releases/tag/v0.11.1 |
A dictionary of SHAs sounds reasonable to fill in gaps where there is no SHA provided in the lock file. |
let's use 90% of our energy to push for an upstream fix, they are breaking supply chain security for everyone and it's not a bazel-specific problem... |
100% agreed here, if anything (at all) is done on this side it should be minimal effort. |
Interesting side note: there actually is a SHA in the
|
Must be a pnpm bug then |
We have a transitive dependency on
aframe
which requires other packages via a github reference. In ourpnpm-lock.json
that looks like:(caveat: we don't use pnpm ourselves, but this comes from
pnpm import
on our Nodepackage-lock.json
)With
rules_js@0.11.0
,bazel sync
gets the following error:This error seems to actually occur when processing the list of packages themselves, which expects first that the package path starts with
/
, then that it has aresolution.integrity
field (these packages have aresolution.tarball
field instead).Presumably, it needs to recognize general paths for packages, and pull them down via the
tarball
link.The text was updated successfully, but these errors were encountered: