You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We foud that if you use bazel run -- @pnpm//:pnpm info <package> --verbose, you will see what version of node and what version of npm is being used. The version of npm used is derived from the user's PATH instead of from the sandbox. node however is safe as it's part of js_binary. The reason this is problematic is that npm is what may or may not have a hand in determining the integrity field in the lockfile. If you have npm version drift you can end up in a state where users are getting different integrity SHAs in the lockfile based on the response from the registry.
Notice that between runs the path in this output will change. In my case, you can see I have npm from node 16 installed on my path when my monorepo uses node 18
npm verb cli /private/var/tmp/_bazel_davidaghassi/30b12e6784b9304c95faa3f4506c5839/execroot/rh/bazel-out/darwin_arm64-fastbuild/bin/external/pnpm/pnpm.sh.runfiles/rh/../pnpm/pnpm_node_bin/node /Users/davidaghassi/.nvm/versions/node/v16.18.0/bin/npm
npm info using npm@8.19.2
npm info using node@v18.18.2
Thanks to @joeljeske for helping me pin point and debug this. This may be related to this issue we are seeing too pnpm/pnpm#7419 (comment)
Version
Development (host) and target OS/architectures:
Output of bazel --version:
6.4.0
Version of the Aspect rules, or other relevant rules from your WORKSPACE or MODULE.bazel file:
rules_js: 1.39.1
Language(s) and/or frameworks involved:
How to reproduce
See above
Any other information?
No response
The text was updated successfully, but these errors were encountered:
What happened?
We foud that if you use
bazel run -- @pnpm//:pnpm info <package> --verbose
, you will see what version ofnode
and what version ofnpm
is being used. The version ofnpm
used is derived from the user'sPATH
instead of from the sandbox.node
however is safe as it's part ofjs_binary
. The reason this is problematic is thatnpm
is what may or may not have a hand in determining theintegrity
field in the lockfile. If you havenpm
version drift you can end up in a state where users are getting differentintegrity
SHAs in the lockfile based on the response from the registry.To reproduce you can simply do the following:
nvm
https://github.com/nvm-sh/nvmnvm install 16 && nvm use 16
bazel run -- @pnpm//:pnpm info react --verbose
nvm install 18 && nvm use 18
bazel run -- @pnpm//:pnpm info react --verbose
Notice that between runs the path in this output will change. In my case, you can see I have
npm
from node 16 installed on my path when my monorepo uses node 18Thanks to @joeljeske for helping me pin point and debug this. This may be related to this issue we are seeing too pnpm/pnpm#7419 (comment)
Version
Development (host) and target OS/architectures:
Output of
bazel --version
:6.4.0
Version of the Aspect rules, or other relevant rules from your
WORKSPACE
orMODULE.bazel
file:rules_js: 1.39.1
Language(s) and/or frameworks involved:
How to reproduce
Any other information?
No response
The text was updated successfully, but these errors were encountered: