-
-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mastodon package will break on next release due to change to yarn lockfile v2 #277697
Comments
This is much more worrying now that a critical Mastodon security advisory has been released: GHSA-3fjr-858r-92rw |
I thought so too at first, but it's fine. The security patch has been backported to the stable 4.2 branch, which still has the old lockfile, so there's no problem there. Indeed someone has already committed the latest stable version 4.2.5 with the security fix: So this issue still just a blocker for updating to 4.3 once that's released. |
Uh... what do I do if I'm on a commit that is 4.3 branch but before yarn 2? 😅 |
Well, uh, that's a little more complicated then. You could either create a patch file with the fix and only the fix and apply that via Or you could use a workaround the lockfile problem itself., which isn't that hard, but requires some custom copy-pasted-and-modified code. E.g. you can take a look at what I did for my glitch-soc package here. I stole that fix mostly from here. I hope that helps somewhat :) |
You're a lifesaver! I went with the lockfile workaround, and after crashing WSL twice (lol) I've been able to deploy the latest commit of Chuckya (a glitch-soc fork) for my instance. Of course, I'm treating this as a temporary hack. Thank you so much! |
Any ideas on how to fix the error in the nodejs build? (The work of @Eisfunke was used)
|
I think I was able to fix the build error. Requires python 3.10. |
@Izorkin Looks like you are working on the upcoming 4.3.0 release? Care to open a draft PR for your progress? This way we could work on it together. |
I'll prepare a draft this evening. |
Describe the bug
Mastodon now uses yarn lockfile v2 on the
main
branch (see here). The current release 4.2.3 still uses a v1 lockfile (see here).v2 lockfiles aren't supported yet by
fetchYarnDeps
, which is used in the Mastodon package, see issue #254369.So, on the next release, which will probably distribute the new v2 lockfile, the package including its update script (it uses prefetch-yarn-deps which doesn't support the new lockfiles either) will break.
I noticed this because I use a copy of the package on glitch-soc, which doesn't have releases and also started to use the new lockfiles, therefore I couldn't update.
I thought I should open an issue to give a heads-up, so we won't be hit unexpectedly on the next release.
Notify maintainers
@happy-river
@erictapen
@Izorkin
@ghuntley
Add a 👍 reaction to issues you find important.
The text was updated successfully, but these errors were encountered: