Mastodon package will break on next release due to change to yarn lockfile v2

[Eisfunke]

Describe the bug

Mastodon now uses yarn lockfile v2 on the main branch (see here). The current release 4.2.3 still uses a v1 lockfile (see here).

v2 lockfiles aren't supported yet by fetchYarnDeps, which is used in the Mastodon package, see issue #254369.

So, on the next release, which will probably distribute the new v2 lockfile, the package including its update script (it uses prefetch-yarn-deps which doesn't support the new lockfiles either) will break.

I noticed this because I use a copy of the package on glitch-soc, which doesn't have releases and also started to use the new lockfiles, therefore I couldn't update.

I thought I should open an issue to give a heads-up, so we won't be hit unexpectedly on the next release.

Notify maintainers

@happy-river
@erictapen
@Izorkin
@ghuntley

---

Add a 👍 reaction to issues you find important.

[NotNite]

This is much more worrying now that a critical Mastodon security advisory has been released: GHSA-3fjr-858r-92rw

[Eisfunke]

This is much more worrying now that a critical Mastodon security advisory has been released: GHSA-3fjr-858r-92rw

I thought so too at first, but it's fine.

The security patch has been backported to the stable 4.2 branch, which still has the old lockfile, so there's no problem there. Indeed someone has already committed the latest stable version 4.2.5 with the security fix:

48bc814

So this issue still just a blocker for updating to 4.3 once that's released.

[NotNite]

Uh... what do I do if I'm on a commit that is 4.3 branch but before yarn 2? 😅

[Eisfunke]

Well, uh, that's a little more complicated then.

You could either create a patch file with the fix and only the fix and apply that via patches in an override. The actual fix commit is quite small, so that should work without bigger problems.

Or you could use a workaround the lockfile problem itself., which isn't that hard, but requires some custom copy-pasted-and-modified code. E.g. you can take a look at what I did for my glitch-soc package here. I stole that fix mostly from here.

I hope that helps somewhat :)

[NotNite]

You're a lifesaver! I went with the lockfile workaround, and after crashing WSL twice (lol) I've been able to deploy the latest commit of Chuckya (a glitch-soc fork) for my instance. Of course, I'm treating this as a temporary hack. Thank you so much!

[Izorkin]

Any ideas on how to fix the error in the nodejs build? (The work of @Eisfunke was used)

mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp info it worked if it ends with ok
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp info using node-gyp@10.0.1
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp info using node@20.15.1 | linux | x64
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp info find Python using Python version 3.12.4 found at "/nix/store/04gg5w1s662l329a8kh9xcwyp0k64v5a-python3-3.12.4/bin/python3"
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDOUT
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp http GET https://nodejs.org/download/release/v20.15.1/node-v20.15.1-headers.tar.gz
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp WARN install got an error, rolling back install
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp ERR! configure error
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp ERR! stack FetchError: request to https://nodejs.org/download/release/v20.15.1/node-v20.15.1-headers.tar.gz failed, reason: getaddrinfo EAI_AGAIN nodejs.org
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp ERR! stack at ClientRequest.<anonymous> (/build/source/node_modules/minipass-fetch/lib/index.js:130:14)
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp ERR! stack at ClientRequest.emit (node:events:519:28)
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp ERR! stack at _destroy (node:_http_client:880:13)
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp ERR! stack at onSocketNT (node:_http_client:900:5)
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp ERR! stack at process.processTicksAndRejections (node:internal/process/task_queues:83:21)
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp ERR! System Linux 6.6.46
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp ERR! command "/nix/store/v14k93caffbf0xz2g7bqr964grxxqlmj-nodejs-20.15.1/bin/node" "/build/source/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp ERR! cwd /build/source/node_modules/utf-8-validate
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp ERR! node -v v20.15.1
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp ERR! node-gyp -v v10.0.1
mastodon-modules-v4.3.0-beta.1> ➤ YN0000: │ utf-8-validate@npm:6.0.4 STDERR gyp ERR! not ok

[Izorkin]

I think I was able to fix the build error. Requires python 3.10.

[erictapen]

@Izorkin Looks like you are working on the upcoming 4.3.0 release? Care to open a draft PR for your progress? This way we could work on it together.

[Izorkin]

@Izorkin Looks like you are working on the upcoming 4.3.0 release? Care to open a draft PR for your progress? This way we could work on it together.

I'll prepare a draft this evening.