search

grammyjs / grammY

The Telegram Bot Framework.
https://grammy.dev
MIT License
2.39k stars 118 forks source link

Deno: The source code is invalid, as it does not match the expected hash in the lock file #373

Closed jherdman closed 1 year ago

jherdman commented 1 year ago

I have been repeated bumping into the following error with a Deno-based bot in CI:

error: The source code is invalid, as it does not match the expected hash in the lock file.
  Specifier: https://esm.sh/@grammyjs/types@2.12.1
  Lock file: /path/to/project/deno.lock

I've reviewed the integrity checking docs for Deno, but I can't seem to wrap my head around this one. It seems like the hash for the above package changes almost every time I refresh the cache.

I'm not sure what the solution is, but I thought I'd raise this on the off chance this made sense to someone.

KnorpelSenf commented 1 year ago

The Bot API types grammY imports are not pinned. The content may change from time to time as we fix typos or other small mistakes. That way, we can perform patch releases for the API types without having to update 30 plugins and perform releases for all of them.

You can mitigate this by deleting the lock file and doing a --reload.

If you want to be extra sure for security reasons that no remote content could ever change, consider vendoring your dependencies.

jherdman commented 1 year ago

Thank you! That was very helpful.