Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

npm ci fails due to wrong cdav-library tarball checksum. #2362

Closed
mejo- opened this issue Jul 20, 2021 · 9 comments
Closed

npm ci fails due to wrong cdav-library tarball checksum. #2362

mejo- opened this issue Jul 20, 2021 · 9 comments
Labels
3. to review Waiting for reviews bug Something isn't working

Comments

@mejo-
Copy link
Member

mejo- commented Jul 20, 2021

Installing NodeJS dependencies for the contacts app currently fails both locally on my machine and in Gitlab CI due to a integrity checksum missmatch for nextcloud/cdav-library:

> git show -q
commit b8dc17def6e82c6e59e28d00ff27980050c49057 (HEAD -> master, origin/master, origin/HEAD)
[...]
> npm -v
7.6.3
> npm ci
[...]
npm WARN tarball tarball data for cdav-library@git+ssh://git@github.com/nextcloud/cdav-library.git#0d826181fdb3958ad7ec214fc00b450edb55a866 (sha512-pa6beP0vY/exZKPOhEpqHTnkVLtksjZaPKFTmhCHvhieDxrNbpqCC2EHHZHy5x1RPFxMbpqeipTLK80m3A+MZw==) seems to be corrupted. Trying again.
npm WARN tarball tarball data for cdav-library@git+ssh://git@github.com/nextcloud/cdav-library.git#0d826181fdb3958ad7ec214fc00b450edb55a866 (sha512-pa6beP0vY/exZKPOhEpqHTnkVLtksjZaPKFTmhCHvhieDxrNbpqCC2EHHZHy5x1RPFxMbpqeipTLK80m3A+MZw==) seems to be corrupted. Trying again.
npm ERR! code EINTEGRITY
npm ERR! sha512-pa6beP0vY/exZKPOhEpqHTnkVLtksjZaPKFTmhCHvhieDxrNbpqCC2EHHZHy5x1RPFxMbpqeipTLK80m3A+MZw== integrity checksum failed when using sha512: wanted sha512-pa6beP0vY/exZKPOhEpqHTnkVLtksjZaPKFTmhCHvhieDxrNbpqCC2EHHZHy5x1RPFxMbpqeipTLK80m3A+MZw== but got sha512-Ndwy4++X1m1jIqoQFP882SQH+RfkDTLbYRXnePavNNlLx5vmR4sHLRWZMIlwphWtxiU+mKhGisPM10V6K6ISXA==. (262717 bytes)

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/user/.npm/_logs/2021-07-20T08_57_59_563Z-debug.log

package-lock.json references cdav-library as follows:

               "node_modules/cdav-library": {
                        "version": "0.0.1",
                        "resolved": "git+ssh://git@github.com/nextcloud/cdav-library.git#0d826181fdb3958ad7ec214fc00b450edb55a866",
                        "integrity": "sha512-pa6beP0vY/exZKPOhEpqHTnkVLtksjZaPKFTmhCHvhieDxrNbpqCC2EHHZHy5x1RPFxMbpqeipTLK80m3A+MZw==",
                        "license": "AGPL-3.0",
                        "dependencies": {
                                "core-js": "^3.15.2",
                                "regenerator-runtime": "^0.13.7"
                        },
                        "engines": {
                                "node": ">=14.0.0"
                        }
                },

When manually installing cdav-library#0d826181fdb3958ad7ec214fc00b450edb55a866, the sha512 sum is different than the one referenced above:

> npm install git+ssh://git@github.com/nextcloud/cdav-library.git#0d826181fdb3958ad7ec214fc00b450edb55a866
[...]
> git diff package-lock.json
diff --git a/package-lock.json b/package-lock.json
index 74498ff6..00d19083 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -23,7 +23,7 @@
                                "@nextcloud/vue": "^4.0.3",
                                "b64-to-blob": "^1.2.19",
                                "camelcase": "^6.2.0",
-                               "cdav-library": "git+https://github.com/nextcloud/cdav-library.git",
+                               "cdav-library": "github:nextcloud/cdav-library#0d826181fdb3958ad7ec214fc00b450edb55a866",
                                "debounce": "^1.2.1",
                                "downloadjs": "^1.4.7",
                                "ical.js": "^1.4.0",
@@ -3861,7 +3861,7 @@
                "node_modules/cdav-library": {
                        "version": "0.0.1",
                        "resolved": "git+ssh://git@github.com/nextcloud/cdav-library.git#0d826181fdb3958ad7ec214fc00b450edb55a866",
-                       "integrity": "sha512-pa6beP0vY/exZKPOhEpqHTnkVLtksjZaPKFTmhCHvhieDxrNbpqCC2EHHZHy5x1RPFxMbpqeipTLK80m3A+MZw==",
+                       "integrity": "sha512-Ndwy4++X1m1jIqoQFP882SQH+RfkDTLbYRXnePavNNlLx5vmR4sHLRWZMIlwphWtxiU+mKhGisPM10V6K6ISXA==",
                        "license": "AGPL-3.0",
                        "dependencies": {
                                "core-js": "^3.15.2",
@@ -15470,7 +15470,7 @@
                },
                "cdav-library": {
                        "version": "git+ssh://git@github.com/nextcloud/cdav-library.git#0d826181fdb3958ad7ec214fc00b450edb55a866",
-                       "integrity": "sha512-pa6beP0vY/exZKPOhEpqHTnkVLtksjZaPKFTmhCHvhieDxrNbpqCC2EHHZHy5x1RPFxMbpqeipTLK80m3A+MZw==",
+                       "integrity": "sha512-Ndwy4++X1m1jIqoQFP882SQH+RfkDTLbYRXnePavNNlLx5vmR4sHLRWZMIlwphWtxiU+mKhGisPM10V6K6ISXA==",
                        "from": "cdav-library@github:nextcloud/cdav-library#0d826181fdb3958ad7ec214fc00b450edb55a866",
                        "requires": {
                                "core-js": "^3.15.2",

Let me know if I should open a PR to fix the shasum for cdav-library in package-json.lock.

@skjnldsv
Copy link
Member

Let me know if I should open a PR to fix the shasum for cdav-library in package-json.lock.

Sure! I guess something changed in the cdav-lib repo :)
Thanks for noticing!

@skjnldsv skjnldsv added 1. to develop Accepted and waiting to be taken care of and removed 0. Needs triage feature: contacts labels Jul 20, 2021
mejo- added a commit that referenced this issue Jul 20, 2021
The sha512 checksum for cdav-library commit 0d82618 in
`package-lock.json` was wrong.
mejo- added a commit that referenced this issue Jul 20, 2021
The sha512 checksum for cdav-library commit 0d82618 in
`package-lock.json` was wrong.

Signed-off-by: Jonas Meurer <jonas@freesources.org>
@mejo-
Copy link
Member Author

mejo- commented Jul 20, 2021

Sure! I guess something changed in the cdav-lib repo :)

Here you are: #2363 😊

@mejo- mejo- added 3. to review Waiting for reviews and removed 1. to develop Accepted and waiting to be taken care of labels Jul 20, 2021
@mejo-
Copy link
Member Author

mejo- commented Jul 20, 2021

Mh, so apparently there's something weird happening. On Github Actions, the old SHA512 sum (pa6beP0vY/exZKPOhEpqHTnkVLtksjZaPKFTmhCHvhieDxrNbpqCC2EHHZHy5x1RPFxMbpqeipTLK80m3A+MZw==) works and the new one (Ndwy4++X1m1jIqoQFP882SQH+RfkDTLbYRXnePavNNlLx5vmR4sHLRWZMIlwphWtxiU+mKhGisPM10V6K6ISXA==) fails. On my local system and on Gitlab CI, the old SHA512 sum is reported as missmatch by NPM. I'll have to further investigate this 🤔

@mejo-
Copy link
Member Author

mejo- commented Jul 20, 2021

I was able to track down the issue to the NPM version being installed: with NPM 7.7.0 or newer installed, the existing integrity checksum is calculated, with NPM 7.6.4 or older, the other one. I suspect the change regarding npm publish in NPM 7.7.0 to be the reason for this.

In other words, there's no problem with the package-lock.json as it is right now, but it requires NPM >= 7.7.0. Sorry for the noise.

I's always so much fun (not!) to debug the toolchain only to realize that something backwards-incompatible changed "somewhere" 😢

@mejo- mejo- closed this as completed Jul 20, 2021
@szaimen

This comment has been minimized.

@mejo-

This comment has been minimized.

@szaimen

This comment has been minimized.

@szaimen

This comment has been minimized.

@szaimen

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3. to review Waiting for reviews bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants