os icon indicating copy to clipboard operation
os copied to clipboard
verified publisher icon wolfi-dev

feat(jitsucom-jitsu.yaml): add emptypackage test to jitsucom-jitsu

Open philroche opened this issue 7 months ago • 1 comments

feat( jitsucom-jitsu.yaml): add emptypackage test to jitsucom-jitsu

Based on package size if was determined that this origin package is empty apart from its own SBOM and this test was added to confirm it is empty and will fail if the package is not longer empty (contains more than an SBOM)

philroche avatar May 27 '25 17:05 philroche

📡 Build Failed: Network

ERR_PNPM_FETCH_403 GET https://capi-automation.s3.us-east-2.amazonaws.com/public/nodejs/capi-param-builder/capi-param-builder-1.1.0-dev.tgz: Forbidden - 403

Build Details

Category Details
Build System npm/pnpm
Failure Point pnpm dependency installation in /home/build/webapps/console

Root Cause Analysis 🔍

The build is trying to fetch a dependency (capi-param-builder-1.1.0-dev.tgz) from a private S3 bucket without proper authorization. The error occurs while installing dependencies for [email protected]. The log explicitly states 'No authorization header was set for the request' which indicates missing credentials for accessing this private resource.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: Melange.yaml

  • addition at line after line 36 (before the 'pnpm install' command) Original: 
      pnpm install -r --unsafe-perm

Replacement:

      # Create a .npmrc file to prevent accessing private repositories
      echo "always-auth=false" > .npmrc
      
      # Force resolution of facebook-nodejs-business-sdk to a version that doesn't depend on private packages
      cat << EOF > pnpm-workspace.yaml
      packages:
        - 'webapps/*'
      EOF
      
      cat << EOF > webapps/console/.npmrc
      public-hoist-pattern[]=*facebook-nodejs-business-sdk*
      EOF
      
      # Update package.json to use a public version of facebook-nodejs-business-sdk
      (cd webapps/console && npm pkg set resolutions.facebook-nodejs-business-sdk="20.0.1")
      (cd webapps/console && npm pkg set overrides.facebook-nodejs-business-sdk="20.0.1")
      
      pnpm install -r --unsafe-perm
Click to expand fix analysis

Analysis

The build failure is occurring during the dependency installation phase where pnpm is attempting to fetch a private package (capi-param-builder-1.1.0-dev.tgz) from a private S3 bucket (capi-automation.s3.us-east-2.amazonaws.com). The error message "No authorization header was set for the request" clearly indicates this is an authentication issue for a private dependency.

The package "capi-param-builder" appears to be a private dependency used by the [email protected] package. Since this is a private resource requiring authorization, and Wolfi OS builds should rely on publicly available dependencies, the best approach is to either remove this dependency if it's not essential or replace it with a publicly available alternative.

Click to expand fix explanation

Explanation

The build failure is occurring because the build system is trying to fetch a private dependency from an S3 bucket that requires authentication. The package capi-param-builder-1.1.0-dev.tgz is being requested by the [email protected] package, which is causing the 403 Forbidden error.

The suggested fix addresses this issue by:

  1. Creating a .npmrc file to explicitly disable authentication for packages, preventing attempts to authenticate with private repositories.

  2. Setting up a pnpm workspace configuration to better manage package dependencies across the project.

  3. Configuring hoisting patterns in the console app's .npmrc to properly handle the facebook SDK package.

  4. Explicitly downgrading to an earlier version (20.0.1) of the facebook-nodejs-business-sdk that doesn't depend on the private package. This version predates the dependency on the private package and should be compatible while being publicly available.

  5. Using both the "resolutions" and "overrides" fields in package.json to ensure pnpm uses the specified version regardless of what might be requested by other dependencies.

This approach follows Wolfi OS principles by ensuring all dependencies are publicly available, maintaining security, and keeping the build process deterministic and reproducible.

Click to expand alternative approaches

Alternative Approaches

  • Pin the exact version of all dependencies using a pnpm-lock.yaml file to avoid dependency resolution issues during build time
  • Fork the facebook-nodejs-business-sdk, remove the private dependency, and use the forked version in the build
  • Contact the maintainers of facebook-nodejs-business-sdk to request they make the dependency public or provide a public alternative
  • Replace facebook-nodejs-business-sdk with an alternative library that provides similar functionality without private dependencies

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

octo-sts[bot] avatar May 27 '25 17:05 octo-sts[bot]

This Pull Request is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Keep fresh with the 'lifecycle/frozen' label.

github-actions[bot] avatar Aug 26 '25 01:08 github-actions[bot]