Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug] Checksum mismatch for package referenced as "git+https://github.com..."

See original GitHub issue
  • I’d be willing to implement a fix

☝️ not sure where I’d have to look/start

Describe the bug

  • We are currently trying to migrate to yarn v2.

  • We have one package in our package.json that is defined like this: "objection": "git+https://github.com/ovos/objection.js.git#1.6.10-mod.0"

  • We ran yarn and it regenerated the lock file

  • When we now run yarn --immutable during our CI workflow, yarn ends up with an error for this package - YN0018 checksum doesn’t match.

  • I noticed that yarn seems to build a new “archive” for this package (I guess because it’s not packaged and published via a registry), could it be that this package looks slightly different depending on the system and this causes the checksum mismatch? (committed yarn.lock was generated on macos 11.1 whereas the CI flow is running on Debian 10)

  • With yarn v1 and --frozen-lockfile this worked fine 🤔

To Reproduce

I created a separate small repo with just this dependency and 2 Github Actions to illustrate the issue: https://github.com/flipace/yarn2-checksum-error-giturl/runs/1749446131?check_suite_focus=true

I allow the yarn step to update the checksums in the lockfile, and as you can see, they are different on the macos and the ubuntu jobs, and when rerunning the job, it always ends up with a different checksum…

Reproduction 
await packageJsonAndInstall({
  dependencies: {
    [`objection`]: `git+https://github.com/ovos/objection.js.git#1.6.10-mod.0`,
  },
});

Screenshots

If applicable, add screenshots to help explain your problem. image

Environment if relevant (please complete the following information):

  • OS: macos 11.1 / debian 10
  • Node version: v12.18.3
  • Yarn version: 2.4.0

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:1
  • Comments:40 (8 by maintainers)

github_iconTop GitHub Comments

23reactions
bkjohnsoncommented, Aug 19, 2021

I’m able to reproduce this using yarn 3.0.1. This is the scenario:

  1. Package A is being used with a git url. Only source files are committed, and a prepare script is used to do a build once installed
  2. Add Package A as a dependency in Package B for the first time
    • Person 1 commits changes & pushes
  3. Person 2 pulls the branch and does a yarn install. Checksums don’t match, and there is an error code YN0018.

Can this issue be re-opened?

7reactions
brianlenzcommented, Jul 14, 2022

We are having the same issue using Yarn 3.2.1. Here is the dependency from our package.json:

"react-native-track-player": "git+https://github.com/doublesymmetry/react-native-track-player.git#44b56147c53e833de7b8fe9b6b26b8413d9ae7d9"

Here’s the yarn.lock:

"react-native-track-player@git+https://github.com/doublesymmetry/react-native-track-player.git#44b56147c53e833de7b8fe9b6b26b8413d9ae7d9":
  version: 2.2.0-rc3
  resolution: "react-native-track-player@https://github.com/doublesymmetry/react-native-track-player.git#commit=44b56147c53e833de7b8fe9b6b26b8413d9ae7d9"
  peerDependencies:
    react: ">=16.8.6"
    react-native: ">=0.60.0-rc.2"
    react-native-windows: ">=0.63.0"
  peerDependenciesMeta:
    react-native-windows:
      optional: true
  checksum: abaff8e3e3e33e42a731d2a9256c1a48e3f98ec8583db939a6a99caedbdade29585277d0920a6afeb69c8b9fdcb4f981b09786c2d6ba8193f5025dfb02341f09
  languageName: node
  linkType: hard

We are seeing differences on identical versions of macOS (Monterey 12.4) using Node 18.5.0.

  • Most machines (including macOS dev machines and GitHub Actions CI Linux runner) generate this file:
    • react-native-track-player-https-50569cc95b-abaff8e3e3.zip
      • Full checksum: abaff8e3e3e33e42a731d2a9256c1a48e3f98ec8583db939a6a99caedbdade29585277d0920a6afeb69c8b9fdcb4f981b09786c2d6ba8193f5025dfb02341f09
  • On my macOS machine, it generates a file with a different checksum:
    • react-native-track-player-https-50569cc95b-1420b23b25.zip
      • Full checksum: 1420b23b250403fefcb4ccfeb22c1529a3ff8dad5a7ac11a10075771297c48c570956a86f8269e7325e2a9bcc4e320c29cc0a3446a21f67a38efd3284dcdf128

Upon extracting the zip files and doing a recursive diff, there’s only a single change between the two zip files, at the bottom of the package.json file:

diff -r node_modules-main/react-native-track-player/package.json node_modules-bad/react-native-track-player/package.json
86c86,87
-   }
+   },
+   "packageManager": "yarn@3.2.1"

So, for whatever reason, my Yarn 3.2.1 is injecting the packageManager into the package.json that other Yarn installs are not. I’ve tried --mode=skip-build, but it has the same result. It doesn’t matter if we remove and re-add the package, the behavior stays consistently the same.

We have the Yarn 3.2.1 release managed in git under .yarn/releases/yarn-3.2.1.cjs, so it’s really confusing how this might be happening. The package.json from the project doesn’t have the packageManager specified, as they are using Yarn 1:

https://github.com/doublesymmetry/react-native-track-player/blob/44b56147c53e833de7b8fe9b6b26b8413d9ae7d9/package.json

I’ve tried installing Yarn via Homebrew, via corepack in Homebrew, and also globally with npm i -g yarn, and all three install variations (each version 1.22.19) have the same behavior.

Does anyone have any ideas what might be causing this difference in behavior? @arcanis?

Read more comments on GitHub >

github_iconTop Results From Across the Web

1337105 – Yum should handle correctly package checksum ...
Bug 1337105 - Yum should handle correctly package checksum mismatch with proxy ... Reason: Sometimes, packages may change their content on the server...
Read more >
git svn fetch checksum mismatch error - Stack Overflow
I have referred the git-svn-checksum-mismatch and the similar SO post git-svn-rebase-checksum-mismatch and tried the provided solution.
Read more >
"Deploy failed" "Checksum mismatch" seen when attempting ...
Trigger deployment of the package to the target Patrol Agent. Upon failure, send: - C:\temp\debug.txt - Patrol Agent error log
Read more >
Chocolatey Package Error - Checksums do not match
Since Chocolatey is secure by default, the installation of the package immediately exits, and an error is thrown: ERROR: Checksum for ...
Read more >
Fix pack information for: Checksum mismatch on NFS Proxy ...
The update is available in any of the following fix packs. A fix pack is either a Service Pack or a Technology Level...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[Bug] Workspace 1 uses different webpack instance than an imported Workspace 2

Next page

This package doesn't seem to be present in your lockfile; try to make an install to update your resolutions