v5.1.2 backwards compatibility, and unpublished version.

[patsjo]

Between 5.1.1 and 5.1.2 the package.json changed version of ajv from ^5.3.0 to ^6.5.5.

When some other package (like request 2.88.0) has a dependency of har-validator ~5.1.0, it can cause other things to break if you allow a major dependency change, without changing you own major version.

In my case, I cant build any more. I got the error:
ERROR in bundle-a54549f6346a118c4764.js from UglifyJs
SyntaxError: Unexpected token: name (length) [./~/punycode/punycode.js:55,0]

This error is because ajv from version 5.x.x to 6.x.x. forced punycode to change major version aswell. (nothing wrong with that)

[ahmadnassri]

interesting, I'm going to dig into this today, and see what can be done.

[ahmadnassri]

I have unpublished 5.1.2 and 5.1.1 in the meantime from npm. future installs of request should not be affected.

[ahmadnassri]

@patsjo can you please provide me with some reproducible steps?

[mattcasey]

Hi, this error is breaking one of our builds. It just started happening within the last 24 hours. I can reproduce just by doing npm install ajv. Using npm 6.

[edit] sorry... it only works when i'm in the specific project. trying to figure out what version of ajv we're using, because it's not a direct dependency

[mattcasey]

OK, I figured it out on our end. It just so happened that we needed to bump a dependency and update our package-lock.json at the moment that 5.1.2 was available. I fixed the issue for us by just deleting package-lock.json and re-creating with npm install. I can share our lock file if you want, but it is pretty massive. har-validator was a dependency of request

[simoami]

@ahmadnassri

Need to let you know the impact of unpublishing on dependent libs. It's failing a yarn install.

yarn
yarn install v1.7.0
[1/5] 🔍  Validating package.json...
[2/5] 🔍  Resolving packages...
[3/5] 🚚  Fetching packages...
error An unexpected error occurred: "http://..../har-validator/-/har-validator-5.1.2.tgz: Request failed \"404 Not Found\"".
info If you think this is a bug, please open a bug report with the information provided in "/code/app/yarn-error.log".
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

Our dependencies are:

=> Found "strong-remoting#[email protected]"
=> Found "loopback#[email protected]"
=> Found "loopback-connector-remote#[email protected]"
=> Found "npm-registry-client#[email protected]"

As a strategy, I'd perhaps suggest you either bump to a 5.1.3 that reverts the bad behavior or to republish 5.1.1 and 5.1.2 as copies of 5.1.0 so we don't get a 404 error on yarn/npm install, because of fixed dependencies in *.lock files

[nickf829]

Publishing a rolled back v5.1.3 would have been preferred to unpublishing 5.1.2. This is causing major headaches from nexus and artifactory users.

[sledorze]

unpublishing 5.1.2 has caused an outage on our circle-ci tests, please, release a 5.1.3 version before the whole universe goes mad about you! :)

[aaronhayes]

Also seeing 404 errors during installs; Ideally we should be releasing a5.1.3 version that reverts broken code. This is going to cause a lot of people headaches; this package gets around ~10m downloads per week.

[Paqrat76]

@ahmadnassri Can you give folks an update as to your plan/timing to resolve this issue?

[Paqrat76]

Here is what is blocking our builds:
npm ERR! notarget No matching version found for [email protected]

$ npm list har-validator
[email protected] /mnt/c/DevGit/snowbucket
├─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected]
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]

[ahmadnassri]

I'm investigating the issue, so far nobody has provided me with any reproducible steps.

request is dependant on version ~5.1.0

npm install request correctly installs the latest matching version from npm:

$ npm install request
$ npm list har-validator
/tmp
└─┬ [email protected]
  └── [email protected]

there was never any broken code pushed or changes made, other than bumping ajv, which, despite being a major version, still has no impact on har-validator or request

[ahmadnassri]

for folks with cached package-lock / yarn.lock run install action again to update your lock files.

a 5.1.3 version (identical to 5.1.0) was pushed to also help with installs.

@patsjo what version of node are you on?

[ahmadnassri]

for reference: this is the only change between 5.1.0 and 5.1.2 of any meaningful impact: 759bffe (the rest are docs and dotfiles)

ajv version got bumped and related changes were added, nothing else was changed, and ajv still maintains support for browsers and Node.js 0.10-8.x according the README

cc: @epoberezkin @realityking

[realityking]

AJV’s readme is wrong. It only supports Node.js 6 #109 (comment)

As for har-validator itself, the CircleCI config should be amended to cover all supported versions so something like this doesn’t happen.

Best thing right now would probably be to rerelease 5.1.0 as 5.1.3 and 5.1.2 as 6.0.

[seprich]

Yes npm install works, resolving har-validator to version 5.1.3 (as required by [email protected]).
However yarn install is broken because it fetches metadata from https://registry.yarnpkg.com :

error Couldn't find any versions for "har-validator" that matches "5.1.2"

Seems that the unpublishing has left yarn registry dirty.

[ahmadnassri]

I don't / can't support yarn, they seem to be doing their own snowflake thing ...

for people using yarn because of the speed, npm has made massive improvements in recent versions and is actually faster than yarn now, see npm ci, pacakge-lock.json, npm install improvements, etc ... (just FYI)

They also don't have any method of interacting with their registry to do things like unpublish: yarnpkg/yarn#4746

unpublishing packages is part of the expected behavior of a registry, and of dependency management.

a registry or registry client does not take care of managing your dependencies for you, you still have to do your part in managing your dependencies in your apps.

@seprich also see these issues with Yarn that are going on unresolved: yarnpkg/yarn#5212

I'm sorry, but yarn is not an official registry, and my packages (as well as all of npm's users packages) are targeted for publish on npm, which means we follow and support npm's workflows.

[ahmadnassri]

also, see conversation thread here: https://twitter.com/AhmadNassri/status/1062733707579219968

it might just be that your lock files need to be updated @seprich

[amypellegrini]

Hi @ahmadnassri, I encounter this bug today, reproduction steps:

In a Mac, using yarn, tried to install react-markdown was enough to see the error.

Hope it helps! I'll try to spare some time to give a hand if I can.

[ahmadnassri]

hey @amypellegrini

the issue is in your lock file, likely needs a refresh, installation works fine without a lock file, so there must be a conflict in there.

[Pipeman]

@ahmadnassri It sound strange it is related only to package-lock, I went all the way down to delete the entire node installation and it was still happening. Only when I manually npm installed har-validator 5.1.3 as a direct dependency I was able to solve the issue.

[DanielRuf]

It seems .1 and .2 were removed which breaks setups. Was there a good reason to unpublish / remove them?

[DanielRuf]

Seems that the unpublishing has left yarn registry dirty.

yarnpkg is just a proxy for npmjs so this is not true. Yarn always uses the lockfile, npm i does not but npm ci.

[DanielRuf]

@pgonzal yarn and npm create tags when you use the version or publish commands but they are not pushed with git push but git push --tags.

[DanielRuf]

@Glathrop no, a simple proxy, they both use Cloudflare and yarnpkg.com points to npmjs.com ;-) A mirror would be a copy on Yarn's side. (like a RAID mirror mode).

[felixcatto]

I removed package-lock.json, execute "npm i". Then cleared cache on heroku https://coderwall.com/p/jjcpra/clean-heroku-npm-cache
then i finally was able to push my changes on heroku without errors.

[Macil]

For yarn users: If you have a yarn.lock file referencing the since-unpublished version of har-validator, then removing your yarn.lock file and re-running yarn will fix your issues by generating a new yarn.lock file containing an existing version of har-validator. (Yarn works just like npm, just substitute "package-lock.json" for "yarn.lock", and "npm install" for "yarn".)

[motss]

I'm facing this weird issue on my machine with Windows 10 x64. I tried several time to rebuild the lockfile but for some unknown reasons, the [email protected] was installed. I'm suspecting that might be due to the fact that npm is grabbing a cached version of har-validator from my local cache which is the unpublished 5.1.2. I tried npm cache clean --force to clear the local NPM cache and it worked as NPM now grabbing whatever is the latest from the NPM registry.

Everyone can try this little finding of mine to see if it works for you.

[jamesgecko]

Yarn has a global lockfile. If this issue is preventing you from using yarn global add, you'll need to delete the file. It was in ~/.local/share/yarn/global/yarn.lock on my macOS machine.

[taylorkline]

Deleting the global lockfile as @jamesgecko suggested worked for me, but the file was located at ~/.config/yarn/global/yarn.lock

[ahmadnassri]

this library has not been maintained, nor has any further planned maintenance. I made a dependency update release today and this will be the last one. this repo will be archived.

[praveenpandey02]

I'm investigating the issue, so far nobody has provided me with any reproducible steps.

request is dependant on version ~5.1.0

npm install request correctly installs the latest matching version from npm:

$ npm install request
$ npm list har-validator
/tmp
└─┬ [email protected]
  └── [email protected]

there was never any broken code pushed or changes made, other than bumping ajv, which, despite being a major version, still has no impact on har-validator or request

So this resolved my issue. I first ran npm install request and then proceeded further with other package installations.