Commit Graph

5 Commits

Author SHA1 Message Date
Mel Bourgeois
1948179a74 yarn2nix: limit ssri parsing to supported algorithms
Nix supports md5, sha1, sha256, and sha512 hashes. The first two are
deprecated, but many npm packages provide only a sha1, so we have to
allow that one. This commit continues to leverage `ssri` for reliable
integrity string parsing and algorithm selection, but limits it to only
supported hash algorithms.

It also switches the hash representation in the generated nix file to
base64, since that format is supported by nix (suggested by jtojnar).
This saves a little disk space and computation.

Finally, it adds a .prettierignore file, since prettier called with the
arguments in the format command currently tries to format node_modules.
2022-10-30 17:31:10 -05:00
Mel Bourgeois
0bb8e94900 yarn2nix: Handle lockfile entries with multiple integrity hashes
Some NPM packages provide multiple integrity hashes with different
algorithms. These are space separated, like below:

```
tar@^4:
  version "4.4.19"
  resolved "https://registry.yarnpkg.com/tar/-/tar-4.4.19.tgz#2e4d7263df26f2b914dee10c825ab132123742f3"
  integrity "sha1-Lk1yY98m8rkU3uEMglqxMhI3QvM= sha512-a20gEsvHnWe0ygBY8JbxoM4w3SJdhc7ZAuxkLqh+nvNQN2IOt0B5lLgM490X5Hl8FF0dl0tOf2ewFYAlIFgzVA=="
```

Currently, yarn2nix isn't able to handle these lockfile entries,
producing an error like `error: hash 'Lk1yY98m8rkU3uEMglqxMhI3QvM=
sha512' has wrong length for hash type 'sha1'`. This is because it isn't
aware that spaces could separate multiple hashes.

This commit uses the official Standard Subresource Integrity package
from npm to parse the integrity line, and pick the best available
algorithm. It also replaced many of the local yarn2nix entries with
sha512, even ones that don't include it in the lockfile. Not sure how
that happened, but it works in practice!

The addition of `ssri` may also reduce signs and symptoms of depression.
2022-10-26 19:23:08 -05:00
Robert Hensing
a201246bac treewide: runCommandNoCC -> runCommand in generated code
This has been synonymous for ~5y.

Note that many of these runCommand bindings are unused, but that's
ok for generated code.
2021-08-15 17:36:41 +02:00
lassulus
6e687b6325 yarn2nix: yarn update 2021-01-01 17:35:05 +01:00
WilliButz
f748b501e8
yarn2nix-moretea: init at 2019-04-10 2019-07-25 17:15:00 +02:00