Open orf opened 6 years ago
To clarify, this happens when you try and publish a large (30MB) npm package. The upload seems to time out, running npm pack [tarball url]
fails with an EINTEGRITY
error.
The is caused by yarn using tar-fs which uses tar-stream which doesn't seem to contain much error handling and doesn't trigger errors on malformed input.
Probably yarn should either use a better tar module or somebody needs to fix the erro handling in tar-stream
. Undetected errors when extracting tar files can lead to all kind of strange errors down the line, yarn really needs a library that passes these errors through properly.
To reproduce:
echo hello > broken.tgz
echo '{"dependencies": { "broken": "file:broken.tgz" }}' > package.json
yarn install
Of note, this also seems to occur when a corrupted download exists in the yarn cache. If yarn promptly exists during the fetching packages stage repeatedly, it may mean that the cache's state (thus, the tarball in the cache) is bad.
The error handling in tar-stream and tar-fs, which I mentioned above, should be fixed now (since tar-stream 1.6), but the errors still go undetected by yarn.
Perhaps it is due to https://github.com/mafintosh/gunzip-maybe/issues/6 ?
Do you want to request a feature or report a bug? Bug
What is the current behavior? We had an error while publishing a package to npm, where only part of the package was uploaded. If you download the package using
download-npm-package
it throws the following error:If you try and
yarn install
a project with a malformed package like this in the yarn.lock or the package.json, it will look like it works but silently not installnode_modules
, produce an error log or provide any logging output:Yes, the package is malformed, but some kind of error should be thrown and the status code should be not 0.
If the current behavior is a bug, please provide the steps to reproduce. The package is private so we cannot share the exact file publicly (but can perhaps privately), but in theory any malformed tarfile on npm should trigger this.
What is the expected behavior?
Yarn should produce some kind of output and not silently fail, after it looks like the install works.
Please mention your node.js, yarn and operating system version.
MacOS latest, Yarn 1.5.1, node 6 and 8