Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Build Fail (v2.8.0) #94

Open
regan-sarwas opened this issue Nov 12, 2018 · 0 comments
Open

Build Fail (v2.8.0) #94

regan-sarwas opened this issue Nov 12, 2018 · 0 comments

Comments

@regan-sarwas
Copy link
Contributor

I suggest that it might be time to update some of the very old dependencies in this app (i.e. grunt 0.4.1 released April 2013) so that it will work with modern build systems.

npm install fails if it was run previously (In this case I ran it when I pulled v2.7, and just re-ran it after updating to v2.8).

$ npm install
WARN tarball tarball data for esprima@https://github.com/ariya/esprima/tarball/master (sha1-C0XMQgDkwwAPPkY1H9aa+FeCIPo=) seems to be corrupted. Trying one more time.
WARN tarball tarball data for esprima@https://github.com/ariya/esprima/tarball/master (sha1-C0XMQgDkwwAPPkY1H9aa+FeCIPo=) seems to be corrupted. Trying one more time.
npm ERR! code EINTEGRITY
npm ERR! Verification failed while extracting esprima@https://github.com/ariya/esprima/tarball/master:
npm ERR! Verification failed while extracting esprima@https://github.com/ariya/esprima/tarball/master:
npm ERR! sha1-C0XMQgDkwwAPPkY1H9aa+FeCIPo= integrity checksum failed when using sha1: wanted sha1-C0XMQgDkwwAPPkY1H9aa+FeCIPo= but got sha512-SVdIGYq0LOpiY9XZtA0lQW2/2yaylJnn/PCoHxQcPHljkT9L80Q8LOIyOMptNhDd53mOxRaStBofT7zPRozRsA== sha1-cr7xGPeqozHb0ANjhEbQiPyiEAc=. (6402157 bytes)

npm ERR! A complete log of this run can be found in:
npm ERR!     ~/.npm/_logs/2018-11-12T00_57_32_205Z-debug.log
$

The problem is that npm 5.0+ (since May 2017) creates a package-lock.json which caches a hash for each module to ensure reproducibility. Unfortunately, there is a deep dependency on esprima/tarball/master. The hash for this dependency will change with each commit to esprima, unlike a versioned tarball, so the lock file is quickly unsatisfiable. The package lock system of npm is not designed to work with un-versioned dependencies like this -- all other dependencies reference a versioned tarball. The problem originates in the package.json file of jshint 1.1.0 (current version is 2.9.6 which does not require esprima at all), jshint 1.1.0 is a dependency of grunt-contrib-jshint 0.4.3 (current version is 2.0.0 which requires jshint ~2.9.6).

It is possible to work around this issue by removing or manually editing package-lock.json, but that defeats the benefits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant