Ghost 0.11.14 install failure

Created on 5 Dec 2018  ยท  8Comments  ยท  Source: TryGhost/Ghost

Issue Summary

Ghost 0.11.14 depends on har-validator 5.1.2, which has been unpublished.

To Reproduce

Install Ghost 0.11.14. You'll likely encounter failures like:

npm ERR! fetch failed https://registry.npmjs.org/har-validator/-/har-validator-5.1.2.tgz
npm WARN retry will retry, error on last attempt: Error: fetch failed with status code 404
npm ERR! fetch failed https://registry.npmjs.org/har-validator/-/har-validator-5.1.2.tgz
npm WARN retry will retry, error on last attempt: Error: fetch failed with status code 404
npm ERR! fetch failed https://registry.npmjs.org/har-validator/-/har-validator-5.1.2.tgz
npm ERR! Linux 3.13.0-115-generic
npm ERR! argv "/usr/bin/nodejs" "/usr/bin/npm" "install" "--production"
npm ERR! node v6.11.0
npm ERR! npm  v3.10.10

This is because npm-shrinkwrap.json specifies har-validator 5.1.2, which has been unpublished. See:
https://github.com/ahmadnassri/node-har-validator/issues/112

To make the problem worse, the NPM registry returns inconsistent results for the unpublished 5.1.2 version. This command sometimes returns 200, sometimes returns 404 Not Found:

curl -I https://registry.npmjs.org/har-validator/-/har-validator-5.1.2.tgz

Suggested fix: Update to har-validator 5.1.3 in npm-shrinkwrap.json.

Technical details:

  • Ghost Version: 0.11.14
  • Node Version: 6.11.0
  • Browser/OS: Linux
  • Database: SQLite
help wanted
Source
picture hwdsl2

All 8 comments

This is because npm-shrinkwrap.json specifies har-validator 5.1.2, which has been unpublished.

why

Thanks for the report - i can sort out a fix on monday, but if you can put together a PR it would be appreciated :relaxed:

The 0.11.14 release is on the lts branch

allouis picture allouis on 6 Dec 2018
😄1

Support for the LTS version of Ghost ends on Dec 31st - so in 25 days - this will probably be the last fix.

ErisDS picture ErisDS on 6 Dec 2018
👍1

@allouis @ErisDS I tried to search for har-validator in the lts branch but could not find any reference. So I'm unable to make a pull request for this. Maybe we simply need a repackage of Ghost 0.11.14 (which will generate a new npm-shrinkwrap.json?

hwdsl2 picture hwdsl2 on 6 Dec 2018

Repackage of shrinkwrap could work! Give it a go :)

If you run npm ls you should see where har-validator is in the dep tree, spoiler: 

โ”œโ”€โ”ฌ [email protected]
โ”‚ โ”œโ”€โ”€ [email protected]
โ”‚ โ”œโ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ”œโ”€โ”€ [email protected] deduped
โ”‚ โ”‚ โ”œโ”€โ”€ [email protected] deduped
โ”‚ โ”‚ โ”œโ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ”‚ โ”œโ”€โ”€ [email protected] deduped
โ”‚ โ”‚ โ”‚ โ”œโ”€โ”€ [email protected] deduped
โ”‚ โ”‚ โ”‚ โ””โ”€โ”€ [email protected]
โ”‚ โ”‚ โ”œโ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ”‚ โ”œโ”€โ”€ [email protected] deduped
โ”‚ โ”‚ โ”‚ โ””โ”€โ”€ [email protected] deduped
โ”‚ โ”‚ โ”œโ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ”‚ โ”œโ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ”‚ โ”‚ โ””โ”€โ”€ [email protected] deduped
โ”‚ โ”‚ โ”‚ โ””โ”€โ”€ [email protected]
โ”‚ โ”‚ โ”œโ”€โ”€ [email protected] deduped
โ”‚ โ”‚ โ”œโ”€โ”€ [email protected] deduped
โ”‚ โ”‚ โ”œโ”€โ”€ [email protected] deduped
โ”‚ โ”‚ โ”œโ”€โ”€ [email protected] deduped
โ”‚ โ”‚ โ””โ”€โ”€ [email protected] deduped
โ”‚ โ””โ”€โ”ฌ [email protected]
โ”‚   โ”œโ”€โ”€ [email protected]
โ”‚   โ”œโ”€โ”€ [email protected]
โ”‚   โ”œโ”€โ”€ [email protected]
โ”‚   โ”œโ”€โ”ฌ [email protected]
โ”‚   โ”‚ โ””โ”€โ”€ [email protected]
โ”‚   โ”œโ”€โ”€ [email protected] deduped
โ”‚   โ”œโ”€โ”€ [email protected]
โ”‚   โ”œโ”€โ”€ [email protected] deduped
โ”‚   โ”œโ”€โ”ฌ [email protected] <-------------------------------- here
โ”‚   โ”‚ โ”œโ”€โ”€ [email protected] deduped
โ”‚   โ”‚ โ””โ”€โ”€ [email protected]

So you _might_ find that the sqlite dep has had a patch version since that that could fix the issue!

Thanks for taking a look :nerd_face:

allouis picture allouis on 7 Dec 2018

@allouis @ErisDS I've run npm ls on my Ghost 0.11.14 install. Here's the location of har-validator in the output:

... ...
โ”œโ”€โ”ฌ [email protected]
โ”‚ โ”œโ”€โ”€ [email protected]
โ”‚ โ”œโ”€โ”€ [email protected]
โ”‚ โ”œโ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ””โ”€โ”€ [email protected]
โ”‚ โ”œโ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ””โ”€โ”€ [email protected]
โ”‚ โ”œโ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ””โ”€โ”€ [email protected]
โ”‚ โ”œโ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ”œโ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ”‚ โ”œโ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ”‚ โ”‚ โ””โ”€โ”€ [email protected]
โ”‚ โ”‚ โ”‚ โ”œโ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ”‚ โ”‚ โ”œโ”€โ”€ [email protected]
โ”‚ โ”‚ โ”‚ โ”‚ โ””โ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ”‚ โ”‚   โ””โ”€โ”€ [email protected]
โ”‚ โ”‚ โ”‚ โ””โ”€โ”€ [email protected]
โ”‚ โ”‚ โ”œโ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ”‚ โ””โ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ”‚   โ””โ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ”‚     โ”œโ”€โ”€ [email protected]
โ”‚ โ”‚ โ”‚     โ”œโ”€โ”€ [email protected]
โ”‚ โ”‚ โ”‚     โ”œโ”€โ”€ [email protected]
โ”‚ โ”‚ โ”‚     โ”œโ”€โ”€ [email protected]
โ”‚ โ”‚ โ”‚     โ”œโ”€โ”ฌ [email protected] <-------------------------------- here
โ”‚ โ”‚ โ”‚     โ”‚ โ”œโ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ”‚     โ”‚ โ”‚ โ”œโ”€โ”€ [email protected]
โ”‚ โ”‚ โ”‚     โ”‚ โ”‚ โ”œโ”€โ”€ [email protected]
โ”‚ โ”‚ โ”‚     โ”‚ โ”‚ โ”œโ”€โ”€ [email protected]
โ”‚ โ”‚ โ”‚     โ”‚ โ”‚ โ””โ”€โ”ฌ [email protected]
โ”‚ โ”‚ โ”‚     โ”‚ โ”‚   โ””โ”€โ”€ [email protected]
โ”‚ โ”‚ โ”‚     โ”‚ โ””โ”€โ”€ [email protected]
... ...

I think that in order to fix it, your team might need to release a new version of gscan or ghost-ignition, which bumps up the dependency version of har-validator.

Alternatively, as I said above, maybe a simple repackaging of Ghost 0.11.14 will suffice, because there is no direct reference to [email protected] in package.json, and when you repackage, a new npm-shrinkwrap.json will be generated which will use the correct version [email protected] instead. I'm not sure how to repackage 0.11.14 but it seems to me that it cannot be done via a pull request in the Git repo.

hwdsl2 picture hwdsl2 on 8 Dec 2018

I'm not sure we should really be fixing this. LTS maintenance period is to cover critical security vulnerabilities and major issues with existing installs.

A bug in doing a fresh 0.11 install 25 days before EOL is -IMO- not at all valid. I suggest closing as wontfix.

@hwdsl2 please try installing a newer version of Ghost.

JohnONolan picture JohnONolan on 10 Dec 2018
👍1

@JohnONolan Thanks for the recommendation. This issue may also affect existing users who upgrade to 0.11.14 because [email protected] is in npm-shrinkwrap.json which now 404s.

However I am good with whichever way the Ghost blog team decides. Thank you for the awesome product.

hwdsl2 picture hwdsl2 on 10 Dec 2018

Agree w/ John. I've just gone through and closed all remaining LTS bugs.

There is no need to upgrade to 0.11.14 before doing a major upgrade. At the moment the best course of action is a fresh 1.0 install. We will be introducing a mechanism for upgrading straight from LTS -> 2.0 soon as per #10276.

Closing this as a wontfix.

ErisDS picture ErisDS on 13 Dec 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

RadoslavGatev picture RadoslavGatev  ยท  3Comments
marcuspoehls picture marcuspoehls  ยท  4Comments
pateskinasy picture pateskinasy  ยท  3Comments
krokofant picture krokofant  ยท  3Comments
HenryMarshall picture HenryMarshall  ยท  4Comments