New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ui dependencies in package-lock.json missing resolved/integrity fields #2299
Comments
Thanks for bringing this up @sarcasticadmin! I always assumed npm takes care of all the integrity stuff for us, but seems like it's not always the case. Based on the npm issues you linked above, it seems like If not, once you confirm the issue on your side is resolved, feel free to make a PR (or just let me know here and I can make the PR myself). |
Let me give that a go and Ill raise a PR shortly |
Wave SDK Version, OS
Im attempting to package up waved and components from
v1.1.1
tag. My system is using the following versions:Actual behavior
serveral ui dependencies are missing
integrity
andresolved
fields. Some examples https://github.com/h2oai/wave/blob/5fd6aa5447859e9266ed42a6f9b0583281e62c63/ui/package-lock.json#L17944-L17946 and https://github.com/h2oai/wave/blob/5fd6aa5447859e9266ed42a6f9b0583281e62c63/ui/package-lock.json#L17994-L17997These missing fields causes the nix build process to fail since it prefetchs and verifies each of the dependencies then performs a npm build offline in a sandbox to ensure reproducibility. This is the result of
nix-build
againstv1.1.1
for the ui:This seems to be an outstanding issue within npm if the packages are already cached locally and npm install is used to generate the package-lock.json : npm/cli#4460 and npm/cli#6301
Expected behavior
In order to assure reproducible installations, every package listed in a
package-lock.json
should contain aresolved
andintegrity
field so it can be fetched from a registry.Steps To Reproduce
Unsure how to reproduce this within
npm
, it seems to happily proceed without caring about the missingresolved
andintegrity
fields. Here is a simple version to verify usingnix
default.nix
:nix-build
from the same directory wheredefault.nix
existsI'm happy to help troubleshoot or provide more info.
The text was updated successfully, but these errors were encountered: