berry icon indicating copy to clipboard operation
berry copied to clipboard

Published 20 hours ago verified publisher icon yarnpkg

[Bug?]: Yarn checksums are dependent on user-configurable compression ratio

Open ashkitten opened this issue 1 year ago • 1 comments

Self-service

  • [ ] I'd be willing to implement a fix

Describe the bug

yarn.lock checksums are calculated based on the hash of the zip files in the cache directory, NOT their contents. This causes issues where if a user has a global .yarnrc.yml with compressionLevel set to something other than the default 0, yarn will always attempt to update the lockfile with all new hashes. This is especially bad in a hypothetical scenario where a developer has compressionLevel set globally and commits their lockfile, then someone tries to use the lockfile with --immutable (say, in a typical distro package build script).

To reproduce

  1. yarn config set compressionLevel 0
  2. yarn install
  3. yarn config set compressionLevel 1
  4. yarn install --immutable # fails!

Environment

System:
    OS: Linux 6.6 NixOS 24.05 (Uakari) 24.05 (Uakari)
    CPU: (12) x64 AMD Ryzen 5 5600X 6-Core Processor
  Binaries:
    Node: 20.10.0 - /tmp/xfs-94698436/node
    Yarn: 4.0.1 - /tmp/xfs-94698436/yarn
  npmPackages:
    jest: ^29.5.0 => 29.7.0

Additional context

image-121

ashkitten avatar Jan 08 '24 17:01 ashkitten

Related - https://github.com/yarnpkg/berry/issues/5939

@ashkitten I added a reproduction in my old issue if you want to use it here. Though my issue was only about missing documentation about the change.

rohit-gohri avatar Jan 15 '24 11:01 rohit-gohri