-
-
Notifications
You must be signed in to change notification settings - Fork 959
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When a package references a tarball, and the tarball's dependencies change, the change isn't reflected in the shrinkwrap. #1342
Comments
I investigated this. We think that people are manually tampering with shrinkwrap.yaml. It starts out like this: 'file:projects/example.tgz':
dependencies:
gulp: 3.9.0
dev: false
name: '@rush-temp/example'
resolution:
integrity: sha512-A2ac6a6cPfvxyknisFEMpjV9vS3VW8u4cx6Abgdp0Kwel6v+NOfAuB7nXXFQJxZuYelJ1aSBWzZzRexh5A4lbg==
tarball: 'file:projects/example.tgz'
version: 0.0.0 ...and then I find a commit where (for some reason) a person has bumped gulp to 3.9.1, without updating the package.json file that ends up in this tarball. We're still trying to determine why people do this, but it's apparently something people do occasionally. Then A questionThis problem is admittedly pretty Rush-specific. But we're thinking the most robust solution would be to delete the @zkochan a couple questions:
|
I would like to know the reason for this before we make a decision. Integrities of local tarballs are useful because pnpm uses them to detect changes inside the tarballs. So if the gulp version inside the tarball is bumped, the integrity changes and pnpm unpacks it and reinstalls |
Following up: I tracked down the person who committed the changes. He's pretty sure that nobody manually modified the shrinkwrap.yaml file. It was part of an incident where a bundle size increased because two different versions of a dependency were getting installed, and during the scuffle they had to roll back their Git branch a couple times, and also resolve merge conflicts with the master branch. It is conceivable that Git incorrectly merged the shrinkwrap file, however our .gitattributes specifically tries to prevent this:
@zkochan Is it possible that PNPM itself can fail to update the integrity hash in certain circumstances? Rush actually regenerates these tarballs for every installation. In the past, we had problems where the integrity hash would be different each time, due to timestamps inside the tarball. We mostly worked around that by using the portable option for tar, however certain people still get diffs occasionally for some reason (maybe NTFS path case differences?). If it won't significantly affect PNPM performance, deleting the integrity hashes from the shrinkwrap.yaml file might fix both issues. |
I think it might be an issue with headless installation. If my assumption is correct, the fix should be easy: pnpm should never run headless installation if there are local tarball dependencies |
I still have the repro -- lemme try that. |
This fixed the problem! Should we have Rush always include |
If Rush always uses local tarballs, then I think you can use |
We'll do that, since not everyone will be using the latest PNPM. Thanks again for helping us investigate this! |
…line as a workaround for pnpm/pnpm#1342
@zkochan We can close this issue now also. Thanks again! |
pnpm version:
2.13.6
Code to reproduce the issue:
Currently putting together repro repo
Expected behavior:
When a package references a tarball, and the tarball's dependencies change, the change is reflected in the shrinkwrap and the correct dependencies are installed.
Actual behavior:
When a package references a tarball, and the tarball's dependencies change, the change isn't reflected in the shrinkwrap and incorrect dependencies are installed.
Additional information:
node -v
prints: 8.11.4The text was updated successfully, but these errors were encountered: