Closed zhyupe closed 3 months ago
aduh95
commented
3 months ago Ah yes, that's an unfortunate side-effect, I'm not sure what would be the solution here 🤔 I suppose Yarn registry could use the archice format as the npm registry, but that would invalidate all the hashes for existing Corepack users.
arcanis
commented
3 months ago In the case of Yarn the tarball just contains the same source file as the website. We could add an fetch variant that pulls this one file from the archive rather than the whole archive 🤔
That should even be simplified since the checksum is computed right after the extraction, or writing the file on the disk: https://github.com/nodejs/corepack/blob/a05aec69ff6a8f9a523f9b34e32ba6332d0ce4de/sources/corepackUtils.ts#L195
zhyupe
commented
3 months ago Ah yes, that's an unfortunate side-effect, I'm not sure what would be the solution here 🤔 I suppose Yarn registry could use the archice format as the npm registry, but that would invalidate all the hashes for existing Corepack users.
Agreed but that change is kinda late as many user may already wrote hash of yarn.js into their package.json.
Therefore I prefer @arcanis 's idea by adding an option (maybe on npmRegistry) to extract only the yarn.js file, as things got really complicated there and this is the simplest solution with least users affected (only those wrote hashes with COREPACK_NPM_REGISTRY will be broken). But that would be another yarn-berry-specific code branch in corepack.
Currently, yarn berry could be downloaded as two form, tar or js, depending on whether
COREPACK_NPM_REGISTRYis set. However, the hash validation step simply calculates the shasum of download stream, and obviously the hashes mismatch.For example, shasums for yarn 4.1.1 are:
Reproduce steps:
corepack use yarn@4.1.1withoutCOREPACK_NPM_REGISTRYbeing set. Hash will be written topackage.jsonCOREPACK_NPM_REGISTRYis set.corepack yarn, following error will be thrown: