Comments (9)
gregmagolan
commented on June 18, 2024
Thanks for the issue. I ran into this as well and we should resolve for 1.0.
from rules_js.
gregmagolan
commented on June 18, 2024
Hmm. That is unfortunate that there is no integrity SHA provided for these URLs.
+ github.com/dmarcos/document-register-element/8ccc532b7f3744be954574caf3072a5fd260ca90:
+ resolution: {tarball: https://codeload.github.com/dmarcos/document-register-element/tar.gz/8ccc532b7f3744be954574caf3072a5fd260ca90}
+ name: document-register-element
+ version: 0.5.4
+ dev: true
yarn doesn't either in its lockfile
"document-register-element@github:dmarcos/document-register-element#8ccc532b7f3744be954574caf3072a5fd260ca90":
version "0.5.4"
resolved "https://codeload.github.com/dmarcos/document-register-element/tar.gz/8ccc532b7f3744be954574caf3072a5fd260ca90"
Presumably this is because a consistent SHA is not guaranteed over time. Without a SHA, the downloaded archives won't go into the external repository cache but they shouldn't anyway if their SHA is not guaranteed to be consistent.
from rules_js.
vpanta
commented on June 18, 2024
Ah yeah, makes sense. So short term just (unfortunately) not caching it makes sense, but long term maybe it's worthwhile to add a dictionary for sha's to the npm_translate_lock call similar to patches?
I appreciate the call-out though, as I'd like to raise this with our teams as it feels like a big code-audit hole.
from rules_js.
gregmagolan
commented on June 18, 2024
Cut a release which includes the fix https://github.com/aspect-build/rules_js/releases/tag/v0.11.1
from rules_js.
gregmagolan
commented on June 18, 2024
A dictionary of SHAs sounds reasonable to fill in gaps where there is no SHA provided in the lock file.
from rules_js.
alexeagle
commented on June 18, 2024
let's use 90% of our energy to push for an upstream fix, they are breaking supply chain security for everyone and it's not a bazel-specific problem...
from rules_js.
vpanta
commented on June 18, 2024
let's use 90% of our energy to push for an upstream fix, they are breaking supply chain security for everyone and it's not a bazel-specific problem...
100% agreed here, if anything (at all) is done on this side it should be minimal effort.
from rules_js.
vpanta
commented on June 18, 2024
Interesting side note: there actually is a SHA in the package-lock.json for these, it's just not getting propagated to pnpm-lock.yaml I'd guess?
"node_modules/document-register-element": {
"version": "0.5.4",
"resolved": "git+ssh://[email protected]/dmarcos/document-register-element.git#8ccc532b7f3744be954574caf3072a5fd260ca90",
"integrity": "sha512-dwvGei9I/m1pYQ/9aNODyVmvSWBtlncfIROn5Sbi4MVnIcZKre5QaWx+AGLI/j6VH9sp8jwLyeuWP1micANT0g==",
"license": "MIT"
},
from rules_js.
alexeagle
commented on June 18, 2024
Must be a pnpm bug then
from rules_js.
Related Issues (20)
- [Bug]: js_binary script launcher doesn't work with Alpine(dash) and no way to disable runfiles HOT 2
- [Bug]: Toolchain resolution broken when using bzlmod and js_image_layer HOT 2
- [Bug]: enable_runfiles should no longer be required HOT 2
- [Bug]: js_run_devserver fails on Windows HOT 1
- [Bug]: rule macros do not work when invoked from another workspace
- [FR]: Support Node 20 HOT 2
- Fix commented out stardoc targets
- Add e2es that explicitly test bazel-lib 2.x compatibilty
- [Bug]: npm_translate_lock error message uses incorrect repo refence symbol when using bzlmod HOT 1
- [Bug]: `public_hoist_packages` does not fail repository setup if requested hash does not exist HOT 1
- [Bug]: `npm_translate_lock`'s `update_pnpm_lock` attribute + bzlmod errors on first build when used with external repositories (eg. `rules_ts`) HOT 2
- [Bug]: jq: error (at packages/api/account/package.json:28): Cannot index array with string "STABLE_SCM_TAG" HOT 1
- [Bug]: `js_image_layer` doesn't copy symlinks of a directory provided as `data`
- [Bug]: test and document --experimental_use_hermetic_linux_sandbox
- [Bug]: optionalDependencies improperly linked when using custom registry
- [feat] rules_js: js_run_devserver 1p npm deps optimization for watch mode
- [Bug]: Providers from aspect_bazel_lib does not work with Bazel 7 HOT 2
- [Bug]: pkg is a directory; dependency checking of directories is unsound HOT 16
- [Bug]: Flaky build failure: npm package directory copy fails with "No such file or directory" HOT 24
- [Bug]: `public_hoist_packages` does not hoist dependencies in `bazel-bin/node_modules`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rules_js.