Closed zhyupe closed 3 months ago
Ah yes, that's an unfortunate side-effect, I'm not sure what would be the solution here 🤔 I suppose Yarn registry could use the archice format as the npm registry, but that would invalidate all the hashes for existing Corepack users.
In the case of Yarn the tarball just contains the same source file as the website. We could add an fetch variant that pulls this one file from the archive rather than the whole archive 🤔
That should even be simplified since the checksum is computed right after the extraction, or writing the file on the disk: https://github.com/nodejs/corepack/blob/a05aec69ff6a8f9a523f9b34e32ba6332d0ce4de/sources/corepackUtils.ts#L195
Ah yes, that's an unfortunate side-effect, I'm not sure what would be the solution here 🤔 I suppose Yarn registry could use the archice format as the npm registry, but that would invalidate all the hashes for existing Corepack users.
Agreed but that change is kinda late as many user may already wrote hash of yarn.js
into their package.json.
Therefore I prefer @arcanis 's idea by adding an option (maybe on npmRegistry) to extract only the yarn.js
file, as things got really complicated there and this is the simplest solution with least users affected (only those wrote hashes with COREPACK_NPM_REGISTRY
will be broken). But that would be another yarn-berry-specific code branch in corepack.
Currently, yarn berry could be downloaded as two form, tar or js, depending on whether
COREPACK_NPM_REGISTRY
is set. However, the hash validation step simply calculates the shasum of download stream, and obviously the hashes mismatch.For example, shasums for yarn 4.1.1 are:
Reproduce steps:
corepack use yarn@4.1.1
withoutCOREPACK_NPM_REGISTRY
being set. Hash will be written topackage.json
COREPACK_NPM_REGISTRY
is set.corepack yarn
, following error will be thrown: