search

mozilla / npm-lockdown

Lock down your npm dependencies by shasum.
Mozilla Public License 2.0
207 stars 30 forks source link

npm >= 1.4.11 (i.e., nodejs >= 0.10.29) will break npm-lockdown #29

Closed jrgm closed 10 years ago

jrgm commented 10 years ago

Currently, nodejs is at 0.10.28 which comes with npm @ 1.4.9. lockdown works with that version.

But I had updated to npm @ 1.4.15, and in that version there are changes to the structure of the .npm cache. In particular, the .cache.json files are now kept in a per-registry-host directory under .npm. This breaks getShasum in relock.js, and breaks npm-lockdown.

vladikoff commented 10 years ago

Does it seem like npm is not following semver?

jrgm commented 10 years ago

@vladikoff - possibly. My notes are just anecdotal. I haven't traced the handling of .cache.json to the actual commit, but lockdown was failing with 1.4.15, but working with 1.4.9 and seemed to me to be that structural change.

seanmonstar commented 10 years ago

Pretty certain that npm doesn't follow semver, but accessing internal caches not exposed by a public API is always risky. On Jun 28, 2014 11:49 PM, "John Morrison" notifications@github.com wrote:

@vladikoff https://github.com/vladikoff - possibly. My notes are just anecdotal. I haven't traced the handling of .cache.json to the actual commit, but lockdown was failing with 1.4.15, but working with 1.4.9 and seemed to me to be that structural change.

— Reply to this email directly or view it on GitHub https://github.com/mozilla/npm-lockdown/issues/29#issuecomment-47447327.

pdehaan commented 10 years ago

FWIW, currently Node.js is at 0.10.29 (released Jun 16) which comes w/ npm 1.4.14, so it may be currently broken w/ release versions of Node 0.10.latest.

http://blog.nodejs.org/2014/06/16/node-v0-10-29-stable/

On Sat, Jun 28, 2014 at 11:49 PM, John Morrison notifications@github.com wrote:

@vladikoff https://github.com/vladikoff - possibly. My notes are just anecdotal. I haven't traced the handling of .cache.json to the actual commit, but lockdown was failing with 1.4.15, but working with 1.4.9 and seemed to me to be that structural change.

— Reply to this email directly or view it on GitHub https://github.com/mozilla/npm-lockdown/issues/29#issuecomment-47447327.

jrgm commented 10 years ago

Yeah, so this starts breaking with changes in npm 1.4.11, so we are broken starting with node.js 0.10.29 (with default npm install).

tomgco commented 10 years ago

The following PR #30 reads the current registry from the users .npmrc and if the previous methods of reading the cache directories fail then it will then search for cache/registry/name etc.

And because this uses the npmconf module from npm we can also use npm environment variables to change the detected registry.

demisx commented 10 years ago

I am on node 0.10.31 and npm 2.0.0-alpha-5. If I understood correctly, npm-lockdown is not compatible with these versions and my next choice is npm-shrinkwrap. Are there any plans to have this package compatible with the latest node/npm?

seanmonstar commented 10 years ago

I merged in this fix (sorry for taking so long), but the best solution would be for npm-shrinkwrap to validate shasums. So, pile on in here https://github.com/npm/npm/issues/2649