Post-release changes to 1.22.22 breaking checksum calculation for packages built from source using both Yarn 1.x and 2+ #9065
Comments
|
We added the missing release artifacts a couple of days ago. I don't have details on your build infra so I don't know why it'd affect the build output - if you truly build a specific commit, I'd expect the result to always be the same. |
|
#9050 (comment) captured the state of releases
It does not look like any files were replaced. As far as I can see the release v1.22.22 was just completed with the missing files.
|
This has nothing to do specifically with our build infra. I included some very simple reproduction steps if you can get a hold of an old package in the other issue I created in the berry repo. We should take this conversation there, since we're using Yarn 4.x. I created the issue in both repos since it's a cross-cutting problem, but I can see how it may have caused some confusion. Re: your assertion above - That's simply not what's happening, at least in the case I've had to deal with. Here are example packages, one built from RobbieTheWagner/ember-ajax-fetch@0341a43 using Yarn 2+ prior to the 1.22.22 version change, one after. Old: ember-ajax-fetch-https-4aa98bd11c-10c0.zip New: ember-ajax-fetch-https-4aa98bd11c-10c0-new.zip If you take a sha512sum of both zips, you get different output (if you crack them open you'll see why). The downloaded yarn-classic.cjs, which appears to be included in the zip, is different because during the build process, Yarn pulls from latest, and latest has changed. I haven't had the opportunity to test this with other repositories, as this is the only one we actually build from source and pin to a specific commit. I can provide more details, but as it's a US holiday weekend and I have plans, I can't until next week. I just wanted to make sure this was on your radar in case it became a larger issue for the community. |
Looks like a few days ago, 2024/05/24, the latest version of Yarn classic (1.22.22) was updated after already having been released to the community. This caused all checksums calculated for packages built from source (IE for dependencies pointing at specific GitHub refs, etc) to change. At my company specifically, when we did a routine cache-busting operation, all of our CI/CD builds started failing and we had to spend the day before a US holiday scrambling to figure out what happened and make sure we could release code next week. Setting aside the issue of whether releases should be updated without a version change after being in the wild for months, does it even make sense for the checksums of packages to change when the dependency itself hasn't changed at all, and only the
yarn-classic.cjsfile downloaded during the packing process has?The text was updated successfully, but these errors were encountered: