-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] gzip archives (from git) have inconsistent checksums across Linux distributions #76
Comments
npm/pacote#76 caused issues for some developers when installing this package from git
I think we're running into this as well - we rely on github repo-based packages, and having installs fail due to integrity issues based on who's installing is rather problematic. |
I think we're running into this, too. The package-lock.json is generated on linux dev environments. But pushes to Heroku fail for the integrity checksum mismatch. |
I just ran into this issue and exactly the same variant as @ahuth. It seems like there hasn't been any updates to this as I'm using the newest version of npm (7.22.0) and it's still occurring. |
Same happening between Windows and Linux machines, very frustrating:
|
I have a package that contains a prepare script to build a go binary when installed. When I run Npm 6 -- stable
Npm 7 -- different every time
Note on reproducing: This is the public Zed repo so you can use the commands above, but you'll need |
Can confirm this is fixed for me. |
What / Why
This is very similar to #62 and possibly npm/cli#2846 but since it's happening reliably on the same machine (ie no architectural differences) in separate docker containers and comments are more likely to be overlooked, I preferred to open a new issue.
I can reliably reproduce this bug using ubuntu and archlinux Docker images using these two Dockerfiles (just for the sake of reproducing it easily) - simply run builds using
docker build -f Dockerfile.XXX .
and check the different lock files:How
When running
npm pack
innode_modules/jqplot
manually I also get the different integrity hashes, but when Igunzip
those files the.tar
files have the same checksum so it's clearly related to gzip producing different output.On my Gentoo system I get the same hash as on archlinux; I just used arch in the dockerfile because it's faster than compiling nodejs manually on a Gentoo image ;)
The text was updated successfully, but these errors were encountered: