search

openSUSE / obs-service-node_modules

MIT License
7 stars 11 forks source link

Service stopped working as integrity is a list not a string #25

Closed cryptomilk closed 1 year ago

cryptomilk commented 2 years ago 
osc service manualrun
Traceback (most recent call last):
  File "/usr/lib/obs/service/node_modules", line 595, in <module>
    sys.exit(main(args))
  File "/usr/lib/obs/service/node_modules", line 347, in main
    process_packagelock_file(js)
  File "/usr/lib/obs/service/node_modules", line 313, in process_packagelock_file
    collect_deps_recursive("", js["dependencies"])
  File "/usr/lib/obs/service/node_modules", line 295, in collect_deps_recursive
    add_standard_dependency(url, integrity, module, path)
  File "/usr/lib/obs/service/node_modules", line 217, in add_standard_dependency
    algo, chksum = integrity.split("-", 2)
ValueError: too many values to unpack (expected 2)
Aborting: service call failed:  /usr/lib/obs/service/node_modules --cpio node_modules.obscpio --output node_modules.spec.inc --source-offset 1000 --outdir /home/asn/workspace/package/obs/home:gladiac:ig-klettern/routenbuch/tmpyawja9vu.node_modules.service

There are entries with two checksums:

"integrity": "sha1-Sb1jMdfQLQwJvJEKEHW6gWW1bfk= sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==",

package-lock.json.txt

JanZerebecki commented 2 years ago

How did you generate this lock file and from which package.json? If I query the package on npm I can not reproduce:

$ npm view inflight@1.0.6 dist.integrity
sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==
cryptomilk commented 2 years ago

The details how I generated the package-lock.json are described here:

https://build.opensuse.org/package/view_file/home:gladiac:ig-klettern/routenbuch/README.md?expand=1

cryptomilk commented 2 years ago

I manually edited the package-lock.json afterwards and removed the sha1 checksum entries to get it working.

JanZerebecki commented 2 years ago

Do we use a different npm version? I can't reproduce:

> wget https://gitlab.com/routenbuch/routenbuch/-/raw/master/package.json
> npm install --package-lock-only --legacy-peer-deps --ignore-scripts
> npm --version
8.5.2
> grep -A 3 'inflight": {' package-lock.json 
    "node_modules/inflight": {
      "version": "1.0.6",
      "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
      "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==",
--
    "inflight": {
      "version": "1.0.6",
      "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
      "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==",

Also https://docs.npmjs.com/cli/v7/configuring-npm/package-lock-json says one string, not a list nor a subresource integrity attribute value.

AdamMajer commented 1 year ago

I will close this as invalid (bug in npm?) since it seems to be different from the spec. If it appears again, please re-open then I'll fix it here.