-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
npm install of 2.8.28 is downloading files with timestamp of Dec 31, 1969 #2054
Comments
I'm afraid not much can be done over here - may be try asking |
One thing I can add is |
Pretty sure the issue is on your side. 2.8.27 is fine as well. It's only 2.8.28 that is "corrupted." |
Unless the package is unusable, I wouldn't be too bothered by it. And there is no way I can influence the behaviour of |
The package is not usable. I cannot zip up the build folder because zip cannot handle files with a creation date before 1980. I had to switch to 2.8.27. Can you not just republish 2.8.28 to fix these timestamps? |
|
So that I can create a package for deploying the application along with npm dependencies to a test environment. Edit: can you try pushing a new version, 2.8.29? |
And even if I were to publish As advised above, please contact |
I can almost guarantee that if I open a ticket with npm and/or nodejs about a specific npm module on a specific version having corrupted timestamps they're going to point the finger back at this module. |
I just downloaded your tgz file DIRECTLY from npm, and it's corrupted IN the tgz file:
|
Regardless of who is to blame here, you have to resolve this somehow. You have a corrupted tarball on the latest 2.x version available. It's not my responsibility to figure out why your publish corrupted the timestamps on these files. |
Why is this issue closed? The package you published to npm has corrupt file metadata. There are developers here at The Atlantic who have lost a whole afternoon of work trying to debug an issue caused by 2.8.28. |
@alexlamsl |
What issue?
2.8.28 still functions correctly regardless of the bad timestamps produced by |
It caused errors with the filesystem in our dockerized development environment. Of course it still functions as it's supposed to, provided the package can actually be installed. |
The next 2.x release can be made with a non- |
Same issue here. Our private deployment system reject the tarball. If I extract the tarball and
|
@alexlamsl please stop trying to defer blame here. The issue is with this specific npm package for a specific version. Push a new version so people can move on. |
Should I post a |
This is blocking my deployments also... Any workaround? |
@mishagray use 2.8.27 until the module author decides that this isn't a problem with node / npm. |
This seems related to npm/npm#10052, which (if resolved) would alleviate your issue. |
It's true that npm/npm#10052 would incidentally fix this issue, because it would reset modification times on files, but there is a much simpler fix that would not require waiting for an 18-month-old issue on npm to be fixed. Make a fresh clone of the repository, bump the version, and publish to npm. I am certain that whatever condition caused the initially packaged files to have corrupted metadata will not be reproduced and the problem will be solved. It doesn't matter what version of npm you use to publish because it is not a bug in npm. This is a bug in the package you pushed to the npm registry, @alexlamsl, plain and simple. Your refusal to acknowledge this or to take even the simplest steps to address it reflects very poorly on you and on this project. |
@fdintino This is not a bug in UglifyJS. |
Who cares what the cause of the issue is? Fix it first then point fingers after. This attitude of "not my problem" when your package is broken solves nothing. |
I'm baffled by your attitude, frankly. An immeasurable amount of time has been put into this project by people in their own spare time, and you expect them to fix your environment for you? UglifyJS is not broken. (And to be honest, it is exactly this attitude that drives me away from doing OSS at all) |
Fix MY Environment? Wtf are you talking about? It's been demonstrated that the tarball on npm has corrupted timestamp data. How is that MY environment? |
Then the bafflement is mutual. You have four different people telling you that the file metadata in the 2.8.28 package is causing issues with their environments and deployments. And you have a (likely) easy solution—push a bumped version from a directory other than the corrupted one that published 2.8.28. But you ignore the former and don't seem to care about the latter. It goes without saying that everyone here appreciates the hard work that is poured into this project, otherwise we wouldn't be using it! I maintain several popular open source projects as well, and I appreciate the challenges that come with it. But if a package I published caused issues in multiple peoples environments, and it was in my power to fix it, I would do so! I think it's safe to assume that the odd modification time of the files in uglify-js is not intentional—it has no functional benefit and it's also plainly incorrect, these files were not modified in 1969. You have multiple people telling you that this causes incompatibilities in various different systems. I can only speak for myself, but here's a demonstration of how the files are incompatible in our system. To reproduce, you just need to install unison, a tool for performing two-way directory syncing:
Outputs the following:
Is it a bug that unison cannot sync files with a ctime and mtime of 0? Yes, perhaps, and I can open a ticket on that project. But judging by the others who have posted on this issue, the file metadata in the npm tgz are causing problems in other systems. And there is an easy way to ensure compatibility with everyone's system—a clean build and publish of a new version. I apologize for my tone earlier in this thread—I'm just frustrated by the refusal to even try to help. |
@eric-tucker: "I cannot zip up the build folder because zip cannot handle files with a creation date before 1980." Even with the incorrect timestamps, The problem with your zip program is out of scope of uglify. It's trivial to write a command to touch the files for your broken |
I will offer my apology regarding assuming this wasn't an npm issue and for any hostility shown previously. However, I stand by my affirmation that this should have been handled more professionally (by everyone), including keeping the issue open while people tracked down the root cause. Edit: side note - I wouldn't have been able to create any kind of helpful issue on npm as I have no idea what the author's build environment and/or npm/node versions were/are at the time of publish. The author should have created the ticket with npm saying "this is my environment and this is what happened." |
My two cents here: It's important for maintainers of open-source projects to accept bugs as valid, even if they are not directly caused by their own code. Given that the maintainers are the only people who are intimately familiar with the codebase and all of its dependencies, they are also the only people who are in a good position to report bugs upstream and track them, essentially acting as a middleman towards their users. This is also why issues should only be closed if there's clear evidence that they're invalid, not just "looks like not our problem". If there's doubt about whether it's user error or a bug in the maintainer's stack, then it's the job of the maintainer to ask the right questions to assess that (and prepare issue templates, and so on). The user can't know what information you need, until you ask. Put more succinctly: the user doesn't care whether it's the fault of the maintainer or not. They also shouldn't need to care, for open-source software to be sustainable and competitive in the long run. That having been said, there's a big difference between informing a maintainer that it's their job to handle bug reports, and personally accusing them of being responsible for your woes. Especially when you're a developer (read: a professional), you're expected to have the infrastructure in place to deal with upstream issues when they inevitably occur. While it is the maintainer's responsibility to pick up the bug and trace where it originates from, they are not responsible for your loss of work time, unless you have a support contract with an SLA. In the end, nothing is accomplished by pointing blame back and forth. Let's just each take our part of the responsibility - maintainers are responsible for tracking down bugs and getting them fixed regardless of where in the stack they occur, and developers ("users") are responsible for having their own contingency plans when things do eventually break, despite best efforts of all parties. |
@joepie91 all excellent points. I would add though that, while I can only speak for myself, my expectation isn't that the uglifyjs maintainers should fix this for me. Yes it cost me some time to troubleshoot and then fix myself, but I committed a fix to our codebase shortly after my first comment in this issue thread. I agree with you that this is my responsibility. What concerns me are the countless people who have run into this issue but haven't spoken up, or who are yet to encounter it. Particularly now that the problem has been identified and the solution is clear (push out a bumped version with either node 6.x or 8.1.0), it still bothers me that there is no will to fix this before the next backport release. |
Very good points @joepie91 . I would agree with @fdintino that waiting until the next backport release to address this problem is definitely downplaying the severity of this issue. It's almost always brought in as a transitive dependency so for someone starting a new project who hasn't yet encountered this issue they are most certainly going to encounter this bug. This will continue to consume a lot of development hours across many companies until 2.8.29+ is released. I agree with using open source is always "at your risk" but this is an incredibly important issue that still remains closed when it's been confirmed to be an issue with the author's publish environment (even if not caused by the author). Closed means non-issue, can't reproduce, or some other status of "not something we can or will address." This issue falls under none of those categories. |
Just to recap and to get a more clear vision of how we can proceed. The issue will not be fixed, although the problem is identified. At least until the next backport release? Is there any vague time frame when this happens? I am asking because we have no easy way to fix the current corrupted package by ourself in our current build chain. Any of the current workarounds flying around here are not really applicable in the way our build process works currently. So the only way to get our system running again is removing dependencies that pulled in UglifyJS2 and try to write the functionality ourself? I would be glad to get a statement about this so we can make an informed decision and work out a solution plan and start taking action to get our system back to life. |
@pythoneer if you |
When there's a complaint about a specific package version like this, please consider either using one of the many npm API tools to directly download the package and verify it, or using
I understand that the root cause of this issue wasn't in uglify-js. But the tools you use when you build packages is still your responsibility. If you're using a tool (or a version of that tool) that produces incorrect output, the expectation is that you recall the release and/or you downgrade your tools until that issue is fixed - not that you leave everyone in limbo until upstream figures out what your problem is and fixes it for you. If you're going to wait on upstream, unpublishing or retagging the offending build should be a strong suggestion. Just letting people sit with broken builds isn't your only option. And it shouldn't be an option at all. Especially on a maintenance branch like this. Many developers (myself included) like to use the latest versions of their tools and software, and that's understandable. But sometimes this can introduce bugs. I'd like to suggest that you set up a free account with https://travis-ci.org/. You can do automated builds on there and set it up to publish directly from there, so the setup on your local machine won't matter at that point. If your personal setup is going to change frequently, it makes sense to use a more static configuration that's not as fragile. Good luck in dealing with the remaining pieces of the issue. |
Is it a matter of pride that the issue is still closed? I've already implemented fixes in our build processes and told the company wide to lock any new package.json entries to version 2.8.27. That doesn't mean that a new point release shouldn't be published immediately. Yes, it is a small inconvenience in terms of individual persons or projects, but you should consider the collective time spent across all people dealing with this issue, including the numerous other projects having reported issues that lead back to this issue (that leads back to the fixed npm issue). @alexlamsl please, at least reopen this issue, and mark it fixed when you have time to update node/npm and republish. This is going to continue to break builds until a fix is implemented. Put at least a little consideration into the time of all the people who will ultimately see this issue pop up. |
@eric-tucker I'm glad that you were able to fix your build process, but I don't think it's a productive use of your time to continue repeating your opinions here. I'm pretty certain you've made your beliefs crystal clear. I think that everyone on both sides of this have had ample opportunity to express their opinions, and many valid points were made from both sides. At this point, the only logical thing to do is to sit back and see what the maintainers do. I do not believe that continuing to berate them will offer much incentive for them to grant your wishes. |
If people had put as much effort into being helpful as into writing meme comments, this would have been fixed a week ago. I never actually had this problem, but the response of the maintainers and community is making me think that I am unsafe to depend on this tool. |
mishoo/UglifyJS#2054 shrinkwrap was an issue because of cp-translations bumping on deploy npm 3 is dodgy on node 0.10 and would have forced an upgrade on all microservices so here is a dodgy workaround
mishoo/UglifyJS#2054 shrinkwrap was an issue because of cp-translations bumping on deploy npm 3 is dodgy on node 0.10 and would have forced an upgrade on all microservices so here is a dodgy workaround
Time to move to Clojure Compiler, this debacle is embarrassing. |
@schwitzerm A fixed release was pushed out to npm, 2.8.29. I really appreciate it @alexlamsl. I don't benefit from it personally, but I'm glad this won't cause issues going forward for fellow developers. You have gotten a lot of grief (some, admittedly, from me). And you aren't likely to be thanked by any of the people who would have been frustrated by the node bug that crept into the 2.8.28 build but now will not, because people only notice when things break. The same goes for all of the other bug fixes you continue to push out for the 2.x backport branch and the features being added to 3.x. I would imagine, particularly after this episode, that this can sometimes be a thankless job. So I'd like to personally express my gratitude for your work. |
@alexlamsl this is honestly the most brutal silent treatment from a maintainer of a popular repo I've seen till now. |
With the amount of pisspoor attitude from most people in this thread, can you blame them? Also, this was never a problem caused by this project, it was always third party tools that couldn't handle timestamps properly, and the only reason it was found out was because of a bug in yet another tool. None of this was caused because of UglifyJS. However, they already have released a fixed version. https://github.com/mishoo/UglifyJS2/releases/tag/v2.8.29 So why are you still harping on on this obsolete and outdated issue that doesn't mean anything to anyone anymore? |
This does not happen with 3.x:
The text was updated successfully, but these errors were encountered: