Yarn: Ensure `.yarn-integrity` audit occurs post-postInstall.

Created on 11 Sep 2017 · 8Comments · Source: yarnpkg/yarn

Do you want to request a feature or report a bug?

Soft-bug in existing feature.

What is the current behavior?

Files created in postInstall steps are not added to .yarn-integrity.

If the current behavior is a bug, please provide the steps to reproduce.

yarn init
yarn add postcss

postcss#caniuse-api/features.js exists immediately after install (yarn add postcss), but is not listed in .yarn-integrity.

What is the expected behavior?

postcss#caniuse-api/features.js is listed in .yarn-integrity. If I remember correctly, yarn currently generates .yarn-integirty via a list of install artifacts, but also does a file crawl for other integrity purposes. This can probably be fixed by either using a crawl (ideally piggybacking on any existing crawl) to generate the artifacts and/or ensuring the audit step runs after the postInstall script phase.

Please mention your node.js, yarn and operating system version.

node v4,6,8
yarn 1.0.1
macOS Sierra

cat-bug

Source

CrabDude

All 8 comments

This makes sense to me. @arcanis what do you think?

@CrabDude if we accept this, would you be willing to send a PR?

BYK on 12 Sep 2017

We actually (should) already have an artifact entry in the integrity files, but it seems like I've accidentally removed a parameter in the call to _generateIntegrityFile when I refactored the file, and that eventually caused the artifacts not to be written onto the disk 😞

arcanis on 12 Sep 2017

❤1

Nice find! Thanks a lot @arcanis and @CrabDude!

BYK on 12 Sep 2017

Errata - I was looking at the wrong line, the parameter is still there.

@CrabDude When I tried your testcase locally I didn't had anything matching caniuse-api, and I don't see any post-install script in the package.json of postcss - am I missing something?

arcanis on 12 Sep 2017

Also checked the caniuse-api package, but couldn't found any file named feature.js, nor any postinstall script :(

arcanis on 12 Sep 2017

I'll create a repo with a repro case.

CrabDude on 12 Sep 2017

👍1

I verified this numerous times locally before creating this issue, but I can no longer reproduce it. I'm going to close this until I can reliably reproduce with more details...

@arcanis FWIW, it was in an older version of caniuse-api (1.4.1), and has since been addressed, but we used yarn import, which locked an older version of caniuse-api and [email protected] (not postcss like originally reported), which was the version that reliably had this issue and which I had confirmed locally (though can no longer repro).

In my attempt to reproduce this issue, all permutations of yarn version and dependency versions contained features.js in .yarn-integrity#artifacts. Having thought on this for a bit, I have to assume this issue and the issues we've seen over the past months must be related to https://github.com/yarnpkg/yarn/issues/3752, which would explain why the issue has been so seemingly indeterministic and difficult to track down.

CrabDude on 14 Sep 2017

Alright... I think I may have figured out the right incantation:

yarn > caniuse-api/features.js exists in .yarn-integrity#artifacts
yarn add leftpad > interrupt during "Linking dependencies" > .yarn-integrity dne
yarn > .yarn-integrity is regenerated from existing node_modules, but caniuse-api/features.js is never added to .yarn-integrity#artifacts b/c it was never generated due to the interrupt

> Consequently, caniuse-api/features.js is pruned.

I confirmed this bug exists in [email protected], and is resolved in [email protected] (as expected from #3752) both with and without --check-files.

CrabDude on 14 Sep 2017

Was this page helpful?

0 / 5 - 0 ratings