Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Post-release changes to 1.22.22 breaking checksum calculation for packages built from source using both Yarn 1.x and 2+ #9065

Open
Esaron opened this issue May 26, 2024 · 3 comments

Comments

@Esaron
Copy link

Esaron commented May 26, 2024

Looks like a few days ago, 2024/05/24, the latest version of Yarn classic (1.22.22) was updated after already having been released to the community. This caused all checksums calculated for packages built from source (IE for dependencies pointing at specific GitHub refs, etc) to change. At my company specifically, when we did a routine cache-busting operation, all of our CI/CD builds started failing and we had to spend the day before a US holiday scrambling to figure out what happened and make sure we could release code next week. Setting aside the issue of whether releases should be updated without a version change after being in the wild for months, does it even make sense for the checksums of packages to change when the dependency itself hasn't changed at all, and only the yarn-classic.cjs file downloaded during the packing process has?

@arcanis
Copy link
Member

arcanis commented May 26, 2024

We added the missing release artifacts a couple of days ago. I don't have details on your build infra so I don't know why it'd affect the build output - if you truly build a specific commit, I'd expect the result to always be the same.

@MikeMcC399
Copy link

#9050 (comment) captured the state of releases

github com_yarnpkg_yarn_releases

It does not look like any files were replaced. As far as I can see the release v1.22.22 was just completed with the missing files.

image

@Esaron
Copy link
Author

Esaron commented May 26, 2024

We added the missing release artifacts a couple of days ago. I don't have details on your build infra so I don't know why it'd affect the build output - if you truly build a specific commit, I'd expect the result to always be the same.

This has nothing to do specifically with our build infra. I included some very simple reproduction steps if you can get a hold of an old package in the other issue I created in the berry repo. We should take this conversation there, since we're using Yarn 4.x. I created the issue in both repos since it's a cross-cutting problem, but I can see how it may have caused some confusion.

Re: your assertion above - That's simply not what's happening, at least in the case I've had to deal with. Here are example packages, one built from RobbieTheWagner/ember-ajax-fetch@0341a43 using Yarn 2+ prior to the 1.22.22 version change, one after.

Old:

ember-ajax-fetch-https-4aa98bd11c-10c0.zip

New:

ember-ajax-fetch-https-4aa98bd11c-10c0-new.zip

If you take a sha512sum of both zips, you get different output (if you crack them open you'll see why). The downloaded yarn-classic.cjs, which appears to be included in the zip, is different because during the build process, Yarn pulls from latest, and latest has changed. I haven't had the opportunity to test this with other repositories, as this is the only one we actually build from source and pin to a specific commit.

I can provide more details, but as it's a US holiday weekend and I have plans, I can't until next week. I just wanted to make sure this was on your radar in case it became a larger issue for the community.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants