Skip to content

Stop storing integrity for git dependencies#525

Merged
nlf merged 2 commits intomainfrom
nlf/no-integrity-for-git
Mar 3, 2022
Merged

Stop storing integrity for git dependencies#525
nlf merged 2 commits intomainfrom
nlf/no-integrity-for-git

Conversation

@nlf
Copy link
Contributor

@nlf nlf commented Feb 8, 2022
edited by wraithgar
Loading

@ljharb
Copy link
Contributor

ljharb commented Feb 8, 2022

Would there be value in storing the git sha, since the URL might not contain it?

@ruyadorno ruyadorno changed the title Create 0000-no-integrity-for-git.md Stop storing integrity for git dependencies Feb 8, 2022
@nlf
Copy link
Contributor Author

nlf commented Feb 8, 2022

Would there be value in storing the git sha, since the URL might not contain it?

the sha is already what gets stored in the resolved field today

@darcyclarke darcyclarke added the Agenda will be discussed at the Open RFC call label Feb 9, 2022
@darcyclarke darcyclarke mentioned this pull request Feb 9, 2022
Closed
@wraithgar wraithgar mentioned this pull request Feb 10, 2022
Closed
@darcyclarke darcyclarke mentioned this pull request Feb 16, 2022
Closed
@bnb
Copy link

bnb commented Feb 16, 2022

will restate what I said in the meeting, half in jest but also half seriously: if this feature isn't working in a consistent way that accomplishes what it says it does, entirely removing it is imo potentially a candidate for a patch release.

nlf added a commit to npm/pacote that referenced this pull request Feb 22, 2022
@nlf
fix: ignore integrity values for git dependencies
c659428 
while this will not remove the values that are being ignored, it does
ensure that we don't throw EINTEGRITY errors for git dependencies which
expect a specific integrity value. see npm/rfcs#525
@nlf nlf mentioned this pull request Feb 22, 2022
Merged
@darcyclarke darcyclarke mentioned this pull request Feb 23, 2022
Closed
@darcyclarke darcyclarke removed the Agenda will be discussed at the Open RFC call label Feb 23, 2022
nlf added a commit to npm/pacote that referenced this pull request Feb 23, 2022
@nlf
fix: ignore integrity values for git dependencies (#123)
3417714 
while this will not remove the values that are being ignored, it does
ensure that we don't throw EINTEGRITY errors for git dependencies which
expect a specific integrity value. see npm/rfcs#525
@derTobsch
Copy link

derTobsch commented Feb 24, 2022
edited
Loading

We run into the same problem today and now our ci pipline is stuck, because it does calculate a different hash than any other development machine. If we can help to test this issue, please let us know.

The problem came with the upgrade from npm 8.1.2 -> 8.3.1 - so we downgraded and it looks better now.

@nlf
Copy link
Contributor Author

nlf commented Mar 1, 2022

[email protected] no longer compares the stored integrity field to the generated data

@nlf nlf mentioned this pull request Mar 1, 2022
Closed
1 task
@nlf nlf merged commit c5214b8 into main Mar 3, 2022
@nlf nlf deleted the nlf/no-integrity-for-git branch March 3, 2022 23:08
@klassiker klassiker mentioned this pull request Dec 12, 2025
Merged
wraithgar pushed a commit to npm/pacote that referenced this pull request Feb 10, 2026
@klassiker
fix: ensure that resolved git ref matches expected sha (#439)
96e571a 
In npm/rfcs#525 about ignoring `integrity` values in lockfiles it was
stated:
> the sha is already what gets stored in the resolved field today

This is only true for resolutions from non-commits to commits.

A dependency like `git://...#4b559c4c663a23f988f6be5094c9a45faf6231bc`
will be stored using the same "reference" in `resolved` even when it
cloned a branch or a tag that resolved to a different sha.

The update is only done if it hasn't been resolved yet, which is already
the case if a full "commit" was specified:

https://github.com/npm/pacote/blob/4b559c4c663a23f988f6be5094c9a45faf6231bc/lib/git.js#L263-L265

This also applies to `npm ci` after reading `package-lock.json` as it
will use the same resolution.

This will compare the newly returned commit-hash with a previously set
`resolvedSha` and prevent that from happening.

Co-authored-by: pacotedev <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@nlf @ljharb @bnb @derTobsch @darcyclarke