Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

3.x fix import fallback #6385

Open
wants to merge 3 commits into
base: cherry-pick/next-release
Choose a base branch
from

Conversation

legobeat
Copy link

@legobeat legobeat commented Jul 6, 2024

  • fix*yarnpkg-cli): properly handle missing physicalPath in runBinary

https://github.com/yarnpkg/berry/pull/33/files#diff-0b87a3e94c60d5153e56080500921e63b9ce72910785f15fb9ff6d4a389126d9R27

Should the first argument here have been process.execPath? It seems odd to call physicalPath directly only if falsey?

@legobeat legobeat changed the base branch from master to cherry-pick/3.5 July 6, 2024 12:40
@merceyz
Copy link
Member

merceyz commented Jul 6, 2024

This is intended for 3.x. I picked the closest base branch as target that I found on the repo.

That would be https://github.com/yarnpkg/berry/tree/cherry-pick/next-release

@legobeat legobeat force-pushed the 3.x-fix-import-fallback branch from 8c31c0a to 49ecd14 Compare July 6, 2024 12:41
@merceyz
Copy link
Member

merceyz commented Jul 6, 2024

Should the first argument here have been process.execPath? It seems odd to call physicalPath directly only if falsey?

Probably but that branch is dead code, physicalPath is never falsy due to this check:

if (!xfs.existsSync(yarnPath)) {
process.stdout.write(cli.error(new Error(`The "yarn-path" option has been set (in ${configuration.sources.get(`yarnPath`)}), but the specified location doesn't exist (${yarnPath}).`)));
process.exitCode = 1;
} else {

@legobeat legobeat changed the base branch from cherry-pick/3.5 to cherry-pick/next-release July 6, 2024 19:45
@legobeat
Copy link
Author

legobeat commented Jul 6, 2024

@merceyz The redundant path-checking has been addressed and process exit codes are now ensured to be numbers (preserving existing cases and default of 1).

@legobeat legobeat marked this pull request as ready for review July 6, 2024 20:32
{code: `ENOENT`, errno: -2},
);
}

process.on(`SIGINT`, () => {
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Separate but it seems like this is never restored after execution of the binary?

Copy link
Member

@merceyz merceyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm failing to see what issue this is fixing, could you add a test that fails without these changes or provide the steps to reproduce it?

Comment on lines +98 to +107
try {
runBinary(yarnPath);
} catch (error) {
if (error.code === `ENOENT`)
process.stdout.write(cli.error(new Error(`The "yarn-path" option has been set (in ${configuration.sources.get(`yarnPath`)}), but the specified location doesn't exist (${yarnPath}).`)));

if (typeof error.code === `number`) {
process.exitCode = error.code;
} else {
process.exitCode = 1;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the path is set and is truthy but the file doesn't exist this wont throw the same error it did before.

Copy link
Author

@legobeat legobeat Jul 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The exit code before was a non-number string. This is not valid. Do we actually want to preserve that behavior?

For string type, only integer strings (e.g.,'1') are allowed

https://nodejs.org/api/process.html#processexitcode_1

Copy link
Author

@legobeat legobeat Jul 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(I put this here specifically for consistency with old behavior - otherwise using error.errno, ie -2 would have seemed appropriate)

@arcanis
Copy link
Member

arcanis commented Jul 6, 2024

Fwiw I'm -1 on merging something in the 3.x branch that isn't a straight cherry-pick from master. I can imagine a change like this changing some edge case behaviour somewhere, and I wouldn't want us to have to deal with additional hotfixes.

@legobeat 4.0 was released in Oct 2023 and the migration from 3.x is reasonably small; why not upgrade?

@legobeat
Copy link
Author

legobeat commented Jul 6, 2024

4.0 was released in Oct 2023 and the migration from 3.x is reasonably small; why not upgrade?

Let's just say I contribute to repos where this is not under my control, and I believe it's neither here nor there? Would expect many community repos and deployments at large to stay on v3 for a considerable time still and that's not really my crusade.

@arcanis
Copy link
Member

arcanis commented Jul 7, 2024

and I believe it's neither here nor there

Sure it is. You're asking us to ship code exclusive to the 3.x branch, which we don't dogfood anymore, and possibly affect other 3.x users which may or may not rely on the behaviour you're changing. We need to understand why it's important enough to be backported. "Fixes a vulnerability" is often a yes, "Changes the text color from orange to red" a no.

Would expect many community repos and deployments at large to stay on v3 for a considerable time

The project sometimes releases cherry-picks to older lines if a maintainer is interested in backporting fixes, but we don't promise doing that. I think you'll have a better time properly upgrading the version every once in a while rather than waiting for hotfixes to be backported on older release lines "for a considerable time".

@legobeat
Copy link
Author

legobeat commented Jul 7, 2024

and possibly affect other 3.x users which may or may not rely on the behaviour you're changing.

This should be the focus. This patch is not primarily intended for my personal benefit.

Separately, I do think there are more out there blocked by #6258 until they can upgrade from v3 to v4 without introducing vulnerability venues through existing legacy dependencies.

@legobeat legobeat force-pushed the 3.x-fix-import-fallback branch from 71ed127 to 2ee671f Compare August 8, 2024 03:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants