search

stephank / yarn-plugin-nixify

Yarn v3/v4 plugin to help with Nix packaging
BSD 2-Clause "Simplified" License
68 stars 8 forks source link

Installation instructions result in unreproducible `plugins` entry in `.yarnrc.yml` #93

Open the-sun-will-rise-tomorrow opened 1 week ago

the-sun-will-rise-tomorrow commented 1 week ago

Currently, the installation instructions mention that we should run:

$ yarn plugin import https://raw.githubusercontent.com/stephank/yarn-plugin-nixify/main/dist/yarn-plugin-nixify.js

I noticed that this will create a .yarnrc.yml that looks like this:

plugins:
  - checksum: 262555f70f393385c7b94658bf64e3c673a90cb79b6e3da036c5ff89e2b0133a033c620632b88e1252356926322922deb809aee91bb1c6d1ce0f2d8a4c917480
    path: .yarn/plugins/yarn-plugin-nixify.cjs
    spec: "https://raw.githubusercontent.com/stephank/yarn-plugin-nixify/main/dist/yarn-plugin-nixify.js"

I'm not too familiar with how Yarn works, but it looks like it is associating a stable checksum with an unstable URL: the URL points to the main branch, so when the file is eventually updated, it will no longer match the checksum.

I think the instructions should guide users to specify a stable URL, i.e. one which includes a Git commit SHA-1 or tag name instead of the main branch name.

the-sun-will-rise-tomorrow commented 1 week ago

Hmm, if I try building the project from a clean checkout, it fails.

It looks like we have to add .yarn/plugins to version control?