search

yarnpkg / yarn

The 1.x line is frozen - features and bugfixes now happen on https://github.com/yarnpkg/berry
https://classic.yarnpkg.com
Other
41.39k stars 2.73k forks source link

Downloading a malformed package file results in Yarn silently quitting #5473

Open orf opened 6 years ago

orf commented 6 years ago

Do you want to request a feature or report a bug? Bug

What is the current behavior? We had an error while publishing a package to npm, where only part of the package was uploaded. If you download the package using download-npm-package it throws the following error:

{ Error: unexpected end of file
    at Gunzip.zlibOnError (zlib.js:153:15) errno: -5, code: 'Z_BUF_ERROR' }

If you try and yarn install a project with a malformed package like this in the yarn.lock or the package.json, it will look like it works but silently not install node_modules, produce an error log or provide any logging output:

~/PycharmProjects/x > yarn
yarn install v1.5.1
info No lockfile found.
[1/5] 🔍  Validating package.json...
[2/5] 🔍  Resolving packages...
warning x > karma > log4js > nodemailer@2.7.2: All versions below 4.0.1 of Nodemailer are deprecated. See https://nodemailer.com/status/
warning x > karma > log4js > loggly > request > node-uuid@1.4.8: Use uuid module instead
[3/5] 🚚  Fetching packages...
[###########################################################################################################################################################################################################################################################################################################################] 1276/1277%
~/PycharmProjects/xs > ls -la node_modules
ls: node_modules: No such file or directory

Yes, the package is malformed, but some kind of error should be thrown and the status code should be not 0.

If the current behavior is a bug, please provide the steps to reproduce. The package is private so we cannot share the exact file publicly (but can perhaps privately), but in theory any malformed tarfile on npm should trigger this.

What is the expected behavior?

Yarn should produce some kind of output and not silently fail, after it looks like the install works.

Please mention your node.js, yarn and operating system version.

MacOS latest, Yarn 1.5.1, node 6 and 8

orf commented 6 years ago

To clarify, this happens when you try and publish a large (30MB) npm package. The upload seems to time out, running npm pack [tarball url] fails with an EINTEGRITY error.

sth commented 6 years ago

The is caused by yarn using tar-fs which uses tar-stream which doesn't seem to contain much error handling and doesn't trigger errors on malformed input.

Probably yarn should either use a better tar module or somebody needs to fix the erro handling in tar-stream. Undetected errors when extracting tar files can lead to all kind of strange errors down the line, yarn really needs a library that passes these errors through properly.

To reproduce:

echo hello > broken.tgz
echo '{"dependencies": { "broken": "file:broken.tgz" }}' > package.json
yarn install
katanacrimson commented 6 years ago

Of note, this also seems to occur when a corrupted download exists in the yarn cache. If yarn promptly exists during the fetching packages stage repeatedly, it may mean that the cache's state (thus, the tarball in the cache) is bad.

sth commented 6 years ago

The error handling in tar-stream and tar-fs, which I mentioned above, should be fixed now (since tar-stream 1.6), but the errors still go undetected by yarn.

orf commented 6 years ago

Perhaps it is due to https://github.com/mafintosh/gunzip-maybe/issues/6 ?