search

pnpm / pnpm

Fast, disk space efficient package manager
https://pnpm.io
MIT License
29.16k stars 978 forks source link

Host key verification failed after Dependabot updates #8343

Open eikowagenknecht opened 1 month ago

eikowagenknecht commented 1 month ago

Verify latest release

pnpm version

9.6.0

Which area(s) of pnpm are affected? (leave empty if unsure)

No response

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

In one of my repositories, I have Dependabot set up and pnmp.

package.json:

  "dependencies": {
    "tauri-plugin-fs-watch-api": "github:tauri-apps/tauri-plugin-fs-watch#v1",
    "tauri-plugin-sql-api": "github:tauri-apps/tauri-plugin-sql#v1",
    "tauri-plugin-store-api": "github:tauri-apps/tauri-plugin-store#v1",
  },

Every time Dependabot updated the dependencies, entries for git repos in the lockfile look like this:

      tauri-plugin-fs-watch-api:
        specifier: github:tauri-apps/tauri-plugin-fs-watch#v1
        version: git+https://git@github.com:tauri-apps/tauri-plugin-fs-watch.git#27c1ee0740eb63c4b3f417866e0c2b0a196262ea
      tauri-plugin-sql-api:
        specifier: github:tauri-apps/tauri-plugin-sql#v1
        version: git+https://git@github.com:tauri-apps/tauri-plugin-sql.git#7ae8847ab1f2252e8b6f0fe44af215ac40664fd6
      tauri-plugin-store-api:
        specifier: github:tauri-apps/tauri-plugin-store#v1
        version: git+https://git@github.com:tauri-apps/tauri-plugin-store.git#5f5404feea43b6cddd65e4171f52e92ca161a2aa

...

  tauri-plugin-fs-watch-api@git+https://git@github.com:tauri-apps/tauri-plugin-fs-watch.git#27c1ee0740eb63c4b3f417866e0c2b0a196262ea:
    resolution: {commit: 27c1ee0740eb63c4b3f417866e0c2b0a196262ea, repo: git@github.com:tauri-apps/tauri-plugin-fs-watch.git, type: git}
    version: 0.0.0

  tauri-plugin-sql-api@git+https://git@github.com:tauri-apps/tauri-plugin-sql.git#7ae8847ab1f2252e8b6f0fe44af215ac40664fd6:
    resolution: {commit: 7ae8847ab1f2252e8b6f0fe44af215ac40664fd6, repo: git@github.com:tauri-apps/tauri-plugin-sql.git, type: git}
    version: 0.0.0

  tauri-plugin-store-api@git+https://git@github.com:tauri-apps/tauri-plugin-store.git#5f5404feea43b6cddd65e4171f52e92ca161a2aa:
    resolution: {commit: 5f5404feea43b6cddd65e4171f52e92ca161a2aa, repo: git@github.com:tauri-apps/tauri-plugin-store.git, type: git}
    version: 0.0.0

...

  tauri-plugin-fs-watch-api@git+https://git@github.com:tauri-apps/tauri-plugin-fs-watch.git#27c1ee0740eb63c4b3f417866e0c2b0a196262ea:
    dependencies:
      '@tauri-apps/api': 1.6.0

  tauri-plugin-sql-api@git+https://git@github.com:tauri-apps/tauri-plugin-sql.git#7ae8847ab1f2252e8b6f0fe44af215ac40664fd6:
    dependencies:
      '@tauri-apps/api': 1.6.0

  tauri-plugin-store-api@git+https://git@github.com:tauri-apps/tauri-plugin-store.git#5f5404feea43b6cddd65e4171f52e92ca161a2aa:
    dependencies:
      '@tauri-apps/api': 1.6.0

Running pnpm i with this leads to the following error:

Lockfile is up to date, resolution step is skipped
Packages: +988
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 ERROR  Command failed with exit code 128: C:\Program Files\Git\cmd\git.EXE -c core.longpaths=true clone git@github.com:tauri-apps/tauri-plugin-fs-watch.git C:\Users\mail\AppData\Local\pnpm\store\v3\tmp\_tmp_18020_55ecad794075a2ef5a720f037830162b
Cloning into 'C:\Users\mail\AppData\Local\pnpm\store\v3\tmp\_tmp_18020_55ecad794075a2ef5a720f037830162b'...
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

pnpm: Command failed with exit code 128: C:\Program Files\Git\cmd\git.EXE -c core.longpaths=true clone git@github.com:tauri-apps/tauri-plugin-fs-watch.git C:\Users\mail\AppData\Local\pnpm\store\v3\tmp\_tmp_18020_55ecad794075a2ef5a720f037830162b
Cloning into 'C:\Users\mail\AppData\Local\pnpm\store\v3\tmp\_tmp_18020_55ecad794075a2ef5a720f037830162b'...
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
    at makeError (C:\snapshot\dist\pnpm.cjs)
    at handlePromise (C:\snapshot\dist\pnpm.cjs)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async execGit (C:\snapshot\dist\pnpm.cjs)
    at async gitFetcher (C:\snapshot\dist\pnpm.cjs)
    at async fetcher (C:\snapshot\dist\pnpm.cjs)
    at async run (C:\snapshot\dist\pnpm.cjs)
Progress: resolved 988, reused 980, downloaded 1, added 0

My current solution is to remove the packages from package.json, run pnpm i, revert the changes to package.json and run pnpm i again. After that, the above entries in the lockfile have changed to

      tauri-plugin-fs-watch-api:
        specifier: github:tauri-apps/tauri-plugin-fs-watch#v1
        version: https://codeload.github.com/tauri-apps/tauri-plugin-fs-watch/tar.gz/27c1ee0740eb63c4b3f417866e0c2b0a196262ea
      tauri-plugin-sql-api:
        specifier: github:tauri-apps/tauri-plugin-sql#v1
        version: https://codeload.github.com/tauri-apps/tauri-plugin-sql/tar.gz/7ae8847ab1f2252e8b6f0fe44af215ac40664fd6
      tauri-plugin-store-api:
        specifier: github:tauri-apps/tauri-plugin-store#v1
        version: https://codeload.github.com/tauri-apps/tauri-plugin-store/tar.gz/5f5404feea43b6cddd65e4171f52e92ca161a2aa

...

  tauri-plugin-fs-watch-api@https://codeload.github.com/tauri-apps/tauri-plugin-fs-watch/tar.gz/27c1ee0740eb63c4b3f417866e0c2b0a196262ea:
    resolution: {tarball: https://codeload.github.com/tauri-apps/tauri-plugin-fs-watch/tar.gz/27c1ee0740eb63c4b3f417866e0c2b0a196262ea}
    version: 0.0.0

  tauri-plugin-sql-api@https://codeload.github.com/tauri-apps/tauri-plugin-sql/tar.gz/7ae8847ab1f2252e8b6f0fe44af215ac40664fd6:
    resolution: {tarball: https://codeload.github.com/tauri-apps/tauri-plugin-sql/tar.gz/7ae8847ab1f2252e8b6f0fe44af215ac40664fd6}
    version: 0.0.0

  tauri-plugin-store-api@https://codeload.github.com/tauri-apps/tauri-plugin-store/tar.gz/5f5404feea43b6cddd65e4171f52e92ca161a2aa:
    resolution: {tarball: https://codeload.github.com/tauri-apps/tauri-plugin-store/tar.gz/5f5404feea43b6cddd65e4171f52e92ca161a2aa}
    version: 0.0.0

...

  tauri-plugin-fs-watch-api@https://codeload.github.com/tauri-apps/tauri-plugin-fs-watch/tar.gz/27c1ee0740eb63c4b3f417866e0c2b0a196262ea:
    dependencies:
      '@tauri-apps/api': 1.6.0

  tauri-plugin-sql-api@https://codeload.github.com/tauri-apps/tauri-plugin-sql/tar.gz/7ae8847ab1f2252e8b6f0fe44af215ac40664fd6:
    dependencies:
      '@tauri-apps/api': 1.6.0

  tauri-plugin-store-api@https://codeload.github.com/tauri-apps/tauri-plugin-store/tar.gz/5f5404feea43b6cddd65e4171f52e92ca161a2aa:
    dependencies:
      '@tauri-apps/api': 1.6.0

and it works again.

SSH key should be set up correctly, from the same console running git.EXE -c core.longpaths=true clone git@github.com:tauri-apps/tauri-plugin-store.git manually works fine.

Describe the Bug

pnpm i fails

Expected Behavior

pnpm i runs without problems

Which Node.js version are you using?

20.11.1

Which operating systems have you used?

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response

GabrielGil commented 1 month ago

I am also experiencing the same problem, considering downgrading until this is solved.

Did you find any workaround @eikowagenknecht?

Cheers 😄

eikowagenknecht commented 1 month ago

Only what I described above: Remove and readd the packages manually to fix the lockfile.

GabrielGil commented 1 month ago

Aha, but that would not prevent dependabot to re-update that again in the next update, no?

Sorry I omitted that but I saw also your comment here https://github.com/dependabot/dependabot-core/issues/10124#issuecomment-2250218611

Thanks for your kindness and replying so fast ⏩

eikowagenknecht commented 1 month ago

Yes, with the next dependabot update it‘s the same problem again. I‘m currently fixing this manually again every time.

GabrielGil commented 1 month ago

Hmm, that's sad. I'll downgrade to v8 and stay subscribed to this issue and see if it gets solved at some point. Thanks.

sibelius commented 1 month ago

is this a regression ?

sibelius commented 1 month ago

how to fix this ?

sibelius commented 1 month ago

try this

ssh-keyscan -t rsa "github.com" >> ~/.ssh/known_hosts
ssh-keyscan -t ed25519 "github.com >> ~/.ssh/known_hosts
gilest commented 1 month ago

A (pretty involved) workaround is to add a SSH private key to the actions runner.

It doesn't need special privileges to clone public repos, but GitHub does need to recognise it.

For this I used a read-only deploy key for the given repo.

  1. Generate an SSH key. For example ssh-keygen -t rsa -q -P "" -f temp_key
  2. Add the contents of the public key temp_key.pub as a repository deploy key: PNPM_GIT_CLONE_WORKAROUND
  3. Add the contents of the private key temp_key as a repository secret: PNPM_GIT_CLONE_WORKAROUND_SSH_KEY
  4. Also add the contents of the private key temp_key as a dependabot secret: PNPM_GIT_CLONE_WORKAROUND_SSH_KEY
  5. Add the following GH actions step before your pnpm install
# Workaround for https://github.com/dependabot/dependabot-core/issues/10124
- name: Add SSH key (enables pnpm to run `git clone`)
  run: |
    mkdir -p ~/.ssh
    echo "${{ secrets.PNPM_GIT_CLONE_WORKAROUND_SSH_KEY }}" > ~/.ssh/id_rsa
    chmod 600 ~/.ssh/id_rsa

Obviously you'll need to keep your private key secret, I'd recommend deleting it once you've set it up.