Hash validation failed for yarn when COREPACK_NPM_REGISTRY is set on one side

[zhyupe]

Currently, yarn berry could be downloaded as two form, tar or js, depending on whether COREPACK_NPM_REGISTRY is set. However, the hash validation step simply calculates the shasum of download stream, and obviously the hashes mismatch.

For example, shasums for yarn 4.1.1 are:

61b9f63c5edc625867eeda36190a4efebdf7840052db5f6583e301a9d228eb43  cli-dist-4.1.1.tgz
f3cc0eda8e5560e529c7147565b30faa43b4e472d90e8634d7134a37c7f59781  yarn.js

Reproduce steps:

1. Call corepack use [email protected] without COREPACK_NPM_REGISTRY being set. Hash will be written to package.json

"packageManager": "[email protected]+sha256.f3cc0eda8e5560e529c7147565b30faa43b4e472d90e8634d7134a37c7f59781"

2. Copy the project to an environment where COREPACK_NPM_REGISTRY is set.
3. Call corepack yarn, following error will be thrown:

Internal Error: Mismatch hashes. Expected f3cc0eda8e5560e529c7147565b30faa43b4e472d90e8634d7134a37c7f59781, got 61b9f63c5edc625867eeda36190a4efebdf7840052db5f6583e301a9d228eb43

[aduh95]

Ah yes, that's an unfortunate side-effect, I'm not sure what would be the solution here 🤔 I suppose Yarn registry could use the archice format as the npm registry, but that would invalidate all the hashes for existing Corepack users.

[arcanis]

In the case of Yarn the tarball just contains the same source file as the website. We could add an fetch variant that pulls this one file from the archive rather than the whole archive 🤔

That should even be simplified since the checksum is computed right after the extraction, or writing the file on the disk:

corepack/sources/corepackUtils.ts

Line 195 in a05aec6

sendTo = tar.x({strip: 1, cwd: tmpFolder});

[zhyupe]

Ah yes, that's an unfortunate side-effect, I'm not sure what would be the solution here 🤔 I suppose Yarn registry could use the archice format as the npm registry, but that would invalidate all the hashes for existing Corepack users.

Agreed but that change is kinda late as many user may already wrote hash of yarn.js into their package.json.

Therefore I prefer @arcanis 's idea by adding an option (maybe on npmRegistry) to extract only the yarn.js file, as things got really complicated there and this is the simplest solution with least users affected (only those wrote hashes with COREPACK_NPM_REGISTRY will be broken). But that would be another yarn-berry-specific code branch in corepack.