gluegun dependency has changed checksums

[KholdStare]

Hi,

A project I work on depends on graph-cli, and recently our build started failing because one of your dependencies gluegun has changed checksums. You are depending on a particular git revision gluegun@git+https://github.com/edgeandnode/gluegun.git#v4.3.1-pin-colors-dep, which should hopefully stay stable, however yarn complains:

gluegun@https://github.com/edgeandnode/gluegun.git#commit=b34b9003d7bf556836da41b57ef36eb21570620a: The remote archive doesn't match the expected checksum

Looking at our yarn.lock the checksum has changed from 872685026db07ad1687056a78388f17c6a9bcd22bbf9d99d1e2b21e2d196c6e99a128bcff48063b3f0cf692a4365142fae9dd06cf8c532bc557a45f8ac853308 to 7a45a5a606a1e651c891467a693552b5237f8e90410f9c9daad4621ff0693d1c92b69aa35fc30eccf7c3b92ee724f15fc297e054086cfb312717ef01f48d2290

It's easy to just accept it and move on, but this can have security implications - the contents of a specific version of a package shouldn't just change overnight. Your current dependency is to a branch which can easily be moved to one with malicious code.

Can you adopt an official release as opposed to a branch from an old fork?

[azf20]

Thanks @KholdStare cc @evaporei

[KholdStare]

@evaporei @azf20 . Please address this. This is still causing problems for some of our devs who stumble on this checksum change issue. Can you use an official release?

[KholdStare]

I think it is related to this: yarnpkg/berry#2399 . Every time the system where the package is built changes, the checksum changes too. This really kills the purposed of the yarn.lock file.

[nickmyatt]

@KholdStare this is fixed in bleeding-edge Yarn: yarnpkg/berry#2399 (comment)

[azf20]

@evaporei do you know if we can move to an alternative version for this dependency? I think this was patched at some point

[KholdStare]

@azf20 @evaporei This is still causing us grief. Dependabot fails to run on our repository because of this rogue dependency.

See the bug I filed with dependabot: dependabot/dependabot-core#6432

[ethereumdegen]

This is also still causing me grief someone please fix this. I think its because the -cli package depends on a non-official version of gluegun , its pointed at some random dudes github and this is also a security issue

[ethereumdegen]

why is this in my yarn lock due to graph-cli : gluegun: "git+https://github.com/edgeandnode/gluegun.git#v4.3.1-pin-colors-dep"

[saihaj]

This is also still causing me grief someone please fix this. I think its because the -cli package depends on a non-official version of gluegun , its pointed at some random dudes github and this is also a security issue

it is not some random dudes github this is something we have a fork at Edge and Node

I will figure out what we need to upgrade to latest of gluegun and archive this fork we had for a reason.