rules_js icon indicating copy to clipboard operation
rules_js copied to clipboard

Published 20 hours ago verified publisher icon aspect-build

[Bug]: running `pnpm` from `rules_js` has non deterministic outcomes since `pnpm` relies on `npm` on the user path

Open Aghassi opened this issue 3 months ago • 1 comments

What happened?

We foud that if you use bazel run -- @pnpm//:pnpm info <package> --verbose, you will see what version of node and what version of npm is being used. The version of npm used is derived from the user's PATH instead of from the sandbox. node however is safe as it's part of js_binary. The reason this is problematic is that npm is what may or may not have a hand in determining the integrity field in the lockfile. If you have npm version drift you can end up in a state where users are getting different integrity SHAs in the lockfile based on the response from the registry.

To reproduce you can simply do the following:

  1. Install nvm https://github.com/nvm-sh/nvm
  2. nvm install 16 && nvm use 16
  3. bazel run -- @pnpm//:pnpm info react --verbose
  4. nvm install 18 && nvm use 18
  5. bazel run -- @pnpm//:pnpm info react --verbose

Notice that between runs the path in this output will change. In my case, you can see I have npm from node 16 installed on my path when my monorepo uses node 18

npm verb cli /private/var/tmp/_bazel_davidaghassi/30b12e6784b9304c95faa3f4506c5839/execroot/rh/bazel-out/darwin_arm64-fastbuild/bin/external/pnpm/pnpm.sh.runfiles/rh/../pnpm/pnpm_node_bin/node /Users/davidaghassi/.nvm/versions/node/v16.18.0/bin/npm
npm info using [email protected]
npm info using [email protected]

Thanks to @joeljeske for helping me pin point and debug this. This may be related to this issue we are seeing too https://github.com/pnpm/pnpm/issues/7419#issuecomment-2026185020

Version

Development (host) and target OS/architectures:

Output of bazel --version: 6.4.0

Version of the Aspect rules, or other relevant rules from your WORKSPACE or MODULE.bazel file: rules_js: 1.39.1

Language(s) and/or frameworks involved:

How to reproduce

See above

Any other information?

No response

Aghassi avatar Mar 28 '24 21:03 Aghassi

Notes:

  • See https://github.com/pnpm/pnpm/blob/442d97daad425c9bc923c12889d5b1ccee154992/pnpm/src/runNpm.ts#L6

jbedard avatar Mar 28 '24 22:03 jbedard