Yarn install fails in local dev environment

[igordanchenko]

Describe the bug

Yarn install fails in local dev environment making it impossible to start local dev environment without removing broken custom dependency (pastelsky/webpack-4-modern)

To Reproduce

% git clone git@github.com:igordanchenko/bundlephobia.git

% node -v
v16.13.1

% yarn -v
3.2.0

% yarn install
➤ YN0000: ┌ Resolution step
➤ YN0002: │ @firebase/auth@npm:0.16.7 [e6d3c] doesn't provide @firebase/app-types (p549f4), requested by @firebase/auth-types
➤ YN0002: │ @firebase/auth@npm:0.16.7 [e6d3c] doesn't provide @firebase/util (pc4e73), requested by @firebase/auth-types
➤ YN0002: │ @firebase/database@npm:0.10.5 doesn't provide @firebase/app-types (p0124d), requested by @firebase/auth-interop-types
➤ YN0060: │ bundlephobia@workspace:. provides react (p81570) with version 18.2.0, which doesn't satisfy what react-autocomplete requests
➤ YN0060: │ bundlephobia@workspace:. provides react-dom (p55d2a) with version 18.2.0, which doesn't satisfy what react-autocomplete requests
➤ YN0002: │ package-build-stats@npm:7.3.13 doesn't provide @vue/compiler-sfc (p1d948), requested by vue-loader
➤ YN0002: │ package-build-stats@npm:7.3.13 doesn't provide eslint (p06f0a), requested by babel-eslint
➤ YN0060: │ package-build-stats@npm:7.3.13 provides webpack (pd9290) with version 4.45.1-modern-acorn-0, which doesn't satisfy what string-replace-loader requests
➤ YN0000: │ Some peer dependencies are incorrectly met; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code
➤ YN0000: └ Completed in 0s 329ms
➤ YN0000: ┌ Fetch step
➤ YN0013: │ yargs@npm:6.6.0 can't be found in the cache and will be fetched from the remote registry
➤ YN0013: │ yeast@npm:0.1.2 can't be found in the cache and will be fetched from the remote registry
➤ YN0013: │ ylru@npm:1.2.1 can't be found in the cache and will be fetched from the remote registry
➤ YN0013: │ yocto-queue@npm:0.1.0 can't be found in the cache and will be fetched from the remote registry
➤ YN0013: │ webpack@https://github.com/pastelsky/webpack-4-modern.git#commit=fca4748eafe351bf9757c04ef9fcce2151c6ac14 can't be found in the cache and will be fetched from the remote repository
➤ YN0018: │ webpack@https://github.com/pastelsky/webpack-4-modern.git#commit=fca4748eafe351bf9757c04ef9fcce2151c6ac14: The remote archive doesn't match the expected checksum
➤ YN0000: └ Completed in 40s 261ms
➤ YN0000: Failed with errors in 40s 597ms

% yarn dev
Usage Error: Couldn't find the node_modules state file - running an install might help (findPackageLocation)

The error causing yarn install failure:

webpack@https://github.com/pastelsky/webpack-4-modern.git#commit=fca4748eafe351bf9757c04ef9fcce2151c6ac14: The remote archive doesn't match the expected checksum

Removing the following resolution in package.json allows yarn installation to complete without errors.

  "resolutions": {
    "package-build-stats/webpack": "pastelsky/webpack-4-modern#fca4748eafe351bf9757c04ef9fcce2151c6ac14"
  },

Expected behavior

yarn install should complete without failures.

[igordanchenko]

Here is a temporary workaround that worked in my case:

YARN_CHECKSUM_BEHAVIOR=ignore yarn install

[darasus]

I believe you need to authenticate with github locally to be able to fetch packages, I would look into this https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry

[igordanchenko]

Confirming I am authenticated via personal GitHub token in the ~/.npmrc

But what does this resolution have to do with GitHub packages? I thought it is just pulling that dependency from a specific commit in a public GitHub repo? (hence, the authentication should be irrelevant)

[darasus]

You need an access token to publish, install, and delete private, internal, and public packages

Just wanted to confirm that you are authenticated as this was my issue.

[darasus]

When installing github "repos", npm treats them as packages

[igordanchenko]

Here is what I have in my .npmrc:

//npm.pkg.github.com/:_authToken=ghp_<my_token>

Is this sufficient?

[darasus]

I've used npm login cli, haven't tried .npmrc tbh

[igordanchenko]

Yes, I believe I'm all set with authentication here.

% npm whoami --registry https://npm.pkg.github.com
igordanchenko

[kiosion]

Definitely not an authentication issue, given the package is cloned and built successfully and only fails at checksum validation. I'm also running into this in personal projects, with dependencies set to github URLs with version or release tags.

Possibly related to https://github.com/yarnpkg/berry/issues/2399?

[igordanchenko]

Most likely