I've been trying to write a nix flake for agregore, I believe that once it's done, nixos users will be able to install (and build) agregore by adding a single line to their config. I'm running into difficulties though. yarn2nix is stumbling over whatwg-mimetype, it says the hash is different each time (and nix is very serious about reproducible builds and I don't know how to tell it to ignore it, but there could be a way). I'm guessing the reason whatwg-mimetype doesn't have an integrity hash in the yarn.lock is because you're importing it via a github link, none of the other packages are imported that way.
Are you using whatwg-mimetype though? I'm not getting any search results for it in the repo? Perhaps it could just be removed?
Additionally, looking into this, I visited the whatwg-mimetype repo, author says here that it shouldn't be used on untrusted input (https://github.com/jsdom/whatwg-mimetype/issues/3), that he knows of lots of attacks, if that's the case, uh, when should anyone ever use it then?
I can confirm the build completes when it's removed.
I've been trying to write a nix flake for agregore, I believe that once it's done, nixos users will be able to install (and build) agregore by adding a single line to their config. I'm running into difficulties though. yarn2nix is stumbling over
whatwg-mimetype, it says the hash is different each time (and nix is very serious about reproducible builds and I don't know how to tell it to ignore it, but there could be a way). I'm guessing the reason whatwg-mimetype doesn't have an integrity hash in the yarn.lock is because you're importing it via a github link, none of the other packages are imported that way.Are you using whatwg-mimetype though? I'm not getting any search results for it in the repo? Perhaps it could just be removed? Additionally, looking into this, I visited the whatwg-mimetype repo, author says here that it shouldn't be used on untrusted input (https://github.com/jsdom/whatwg-mimetype/issues/3), that he knows of lots of attacks, if that's the case, uh, when should anyone ever use it then?
I can confirm the build completes when it's removed.