Mastodon package will break on next release due to change to yarn lockfile v2

NixOS / nixpkgs

Nix Packages collection & NixOS

MIT License

16.84k stars 13.22k forks source link

Mastodon package will break on next release due to change to yarn lockfile v2 #277697

Open Eisfunke opened 7 months ago

Eisfunke commented 7 months ago

Describe the bug

Mastodon now uses yarn lockfile v2 on the main branch (see here). The current release 4.2.3 still uses a v1 lockfile (see here).

v2 lockfiles aren't supported yet by fetchYarnDeps, which is used in the Mastodon package, see issue #254369.

So, on the next release, which will probably distribute the new v2 lockfile, the package including its update script (it uses prefetch-yarn-deps which doesn't support the new lockfiles either) will break.

I noticed this because I use a copy of the package on glitch-soc, which doesn't have releases and also started to use the new lockfiles, therefore I couldn't update.

I thought I should open an issue to give a heads-up, so we won't be hit unexpectedly on the next release.

Notify maintainers

@happy-river @erictapen @Izorkin @ghuntley

Add a :+1: reaction to issues you find important.

NotNite commented 6 months ago

This is much more worrying now that a critical Mastodon security advisory has been released: https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw

Eisfunke commented 6 months ago

This is much more worrying now that a critical Mastodon security advisory has been released: GHSA-3fjr-858r-92rw

I thought so too at first, but it's fine.

The security patch has been backported to the stable 4.2 branch, which still has the old lockfile, so there's no problem there. Indeed someone has already committed the latest stable version 4.2.5 with the security fix:

https://github.com/NixOS/nixpkgs/commit/48bc814c7b900cba2e6f393dd4c01a6df23b0123

So this issue still just a blocker for updating to 4.3 once that's released.

NotNite commented 6 months ago

Uh... what do I do if I'm on a commit that is 4.3 branch but before yarn 2? 😅

Eisfunke commented 6 months ago

Well, uh, that's a little more complicated then.

You could either create a patch file with the fix and only the fix and apply that via patches in an override. The actual fix commit is quite small, so that should work without bigger problems.

Or you could use a workaround the lockfile problem itself., which isn't that hard, but requires some custom copy-pasted-and-modified code. E.g. you can take a look at what I did for my glitch-soc package here. I stole that fix mostly from here.

I hope that helps somewhat :)

NotNite commented 6 months ago

You're a lifesaver! I went with the lockfile workaround, and after crashing WSL twice (lol) I've been able to deploy the latest commit of Chuckya (a glitch-soc fork) for my instance. Of course, I'm treating this as a temporary hack. Thank you so much!