Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

package-lock.json missing resolved & integrity fields #719

Closed
felschr opened this issue Jul 14, 2023 · 8 comments · Fixed by #720
Closed

package-lock.json missing resolved & integrity fields #719

felschr opened this issue Jul 14, 2023 · 8 comments · Fixed by #720
Labels
enhancement New feature or request

Comments

@felschr
Copy link

felschr commented Jul 14, 2023
edited
Loading

Hi, while trying to package protoc-gen-connect-es for nixpkgs, I've ran into the issue that the package-lock.json doesn't contain any resolved & integrity fields since 411bba5: NixOS/nixpkgs#243432 (comment)
These fieldd should exist according to the docs: https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json

This can likely be fixed by regenerating the lock file from scratch and/or updating to newer versions of npm.

I've also found the same issue with protobuf-es: bufbuild/protobuf-es#526
@felschr felschr added the bug Something isn't working label Jul 14, 2023
@timostamm timostamm added enhancement New feature or request and removed bug Something isn't working labels Jul 14, 2023
@timostamm
Copy link
Member

@felschr, I'm not entirely sure what commands @smaye81 ran, but my guess is that the fields were removed from the lock
file by re-generating it.

If you run the following commands:

$ npm --version            
9.8.0
$ rm -rf package-lock.json 
$ npm install

The lock-file is re-created, and all resolved and integrity fields are removed from the lock file. In this case, we removed a package from the repository, and the alternative to the commands above would be to edit the lock file manually, or to delete the node_modules directory as well before running npm install. The latter will also bump versions within the defined constraints.

I think it might not be completely uncommon to have lock files without those fields in the wild because of this behavior of npm...

Do you know an alternative in situations like this that retains the fields?

@smaye81
Copy link
Member

smaye81 commented Jul 14, 2023

Just to confirm -- I used npm version 9.5.0 when regenerating the lock file.

@lilyinstarlight
Copy link

lilyinstarlight commented Jul 14, 2023
edited
Loading

Regenerating the lockfile should be adding those fields, not removing them. I just confirmed that locally with npm 9.7.2 -- removing the lockfile and doing npm install adds those fields correctly

Can you share the output of npm config list so we can check if you have some local setting that is causing that?

@lilyinstarlight
Copy link

Oh there's an upstream issue for it. You might have to remove both node_modules and package-lock.json to get it to correctly regenerate. See npm/cli#6301

@smaye81 smaye81 mentioned this issue Jul 14, 2023
Merged
@smaye81
Copy link
Member

smaye81 commented Jul 14, 2023

I just created #720 to regenerate package-lock.json using the instructions in npm/cli#6301. Let me know if this is what is needed to satisfy the nixpkgs issue.

Also please note that we can't guarantee this won't happen again due to the open npm cli issue. We aren't committing to manually ensuring the lock file always has these properties. Hopefully the issue on the npm side is resolved soon.

@smaye81
Copy link
Member

smaye81 commented Jul 14, 2023

Also related fix in Protobuf-ES: bufbuild/protobuf-es#527

@felschr
Copy link
Author

felschr commented Jul 15, 2023

@smaye81 Thank you for the quick fix and the new release of protobuf-es!

@felschr
Copy link
Author

felschr commented Oct 16, 2023

npm issues that track the problem of missing integrity & resolved fields:
npm/cli#4263, npm/cli#4460 npm/cli#6301

Issue on protobuf-es to track this issue and hopefully find a long-term solution:
bufbuild/protobuf-es#589

bradbishop pushed a commit to openbmc/webui-vue that referenced this issue Jun 14, 2024
@gtmills
Regenerate package-lock.json
620e646 
rm package-lock.json. Then regenerate package-lock.json using the yocto
version of npm, nodejs_20.11.1. [1]

devtool modify -n webui-vue <local webui-vue repo>
Then did a build.

This adds the integrity / resolved. It is based on a connectrpc
issue[2].

Prefer this solution over 71971[3] due to this using standard NPM.

[1]: https://github.com/openbmc/openbmc/blob/master/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_20.11.1.bb

[2]: connectrpc/connect-es#719 (comment)

[3]: https://gerrit.openbmc.org/c/openbmc/webui-vue/+/71971

Tested: A quick sanity test on the GUI works.

Change-Id: I13c098a7d07b2b8fdf3d82c2eaad3f35167757ae
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Regenerate package lock connectrpc/connect-es
4 participants
@lilyinstarlight @smaye81 @felschr @timostamm