xlsx-cli dependency on xlsx archive breaks package-lock.json #2830

New Issue

ckoncz-hwx · 2022-11-18T13:52:26Z

ckoncz-hwx commented

2022-11-18 13:52:26 +00:00

The way xlsx-cli defines its depdency on xlsx (by referring to an archive whose contents changes) breaks npm installs that have package-lock.jsons.

515d1c6f2e/packages/xlsx-cli/package.json (L27)

This is how a section in package-lock looks like created by "npm install xlsx-cli":

    "node_modules/xlsx": {
      "version": "0.19.0",
      "resolved": "https://cdn.sheetjs.com/xlsx-latest/xlsx-latest.tgz",
      "integrity": "sha512-xCEjsEv5ZA+2XaNRfYlcWxDUqfBCOyp3woYFDZOFg9HJy4WXqpYuxM3+G8QmGtZ4d5cANcQq7CcKlia7wWkn/g==",
      "license": "Apache-2.0",
      "bin": {
        "xlsx": "bin/xlsx.njs"
      },
      "engines": {
        "node": ">=0.8"
      }
    },

And this is the error I see in recent nightly integration runs trying to run npm install:

npm ERR! code EINTEGRITY
npm ERR! Verification failed while extracting xlsx@https://cdn.sheetjs.com/xlsx-latest/xlsx-latest.tgz:
npm ERR! Verification failed while extracting xlsx@https://cdn.sheetjs.com/xlsx-latest/xlsx-latest.tgz:
npm ERR! sha512-xCEjsEv5ZA+2XaNRfYlcWxDUqfBCOyp3woYFDZOFg9HJy4WXqpYuxM3+G8QmGtZ4d5cANcQq7CcKlia7wWkn/g== integrity checksum failed when using sha512: wanted sha512-xCEjsEv5ZA+2XaNRfYlcWxDUqfBCOyp3woYFDZOFg9HJy4WXqpYuxM3+G8QmGtZ4d5cANcQq7CcKlia7wWkn/g== but got sha512-pPh/ybd1bChlhCrtQ9QmRUx2yjQwMbS4tfvV9MSA2Qmm7vRUHQtPDMlLjAvQ2A4v8G92i2RlrNkSOKb1bwY7ww==. (2313322 bytes)

npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2022-11-18T06_35_03_826Z-debug.log

Supposedly xlsx-latest.tgz was updated recently.

The way xlsx-cli defines its depdency on xlsx (by referring to an archive whose contents changes) breaks npm installs that have package-lock.jsons. https://github.com/SheetJS/sheetjs/blob/515d1c6f2e1d3ca422ee9198b177cfd926434936/packages/xlsx-cli/package.json#L27 This is how a section in package-lock looks like created by "npm install xlsx-cli": ``` "node_modules/xlsx": { "version": "0.19.0", "resolved": "https://cdn.sheetjs.com/xlsx-latest/xlsx-latest.tgz", "integrity": "sha512-xCEjsEv5ZA+2XaNRfYlcWxDUqfBCOyp3woYFDZOFg9HJy4WXqpYuxM3+G8QmGtZ4d5cANcQq7CcKlia7wWkn/g==", "license": "Apache-2.0", "bin": { "xlsx": "bin/xlsx.njs" }, "engines": { "node": ">=0.8" } }, ``` And this is the error I see in recent nightly integration runs trying to run npm install: ``` npm ERR! code EINTEGRITY npm ERR! Verification failed while extracting xlsx@https://cdn.sheetjs.com/xlsx-latest/xlsx-latest.tgz: npm ERR! Verification failed while extracting xlsx@https://cdn.sheetjs.com/xlsx-latest/xlsx-latest.tgz: npm ERR! sha512-xCEjsEv5ZA+2XaNRfYlcWxDUqfBCOyp3woYFDZOFg9HJy4WXqpYuxM3+G8QmGtZ4d5cANcQq7CcKlia7wWkn/g== integrity checksum failed when using sha512: wanted sha512-xCEjsEv5ZA+2XaNRfYlcWxDUqfBCOyp3woYFDZOFg9HJy4WXqpYuxM3+G8QmGtZ4d5cANcQq7CcKlia7wWkn/g== but got sha512-pPh/ybd1bChlhCrtQ9QmRUx2yjQwMbS4tfvV9MSA2Qmm7vRUHQtPDMlLjAvQ2A4v8G92i2RlrNkSOKb1bwY7ww==. (2313322 bytes) npm ERR! A complete log of this run can be found in: npm ERR! /root/.npm/_logs/2022-11-18T06_35_03_826Z-debug.log ``` Supposedly xlsx-latest.tgz was updated recently.

sheetjs commented

2022-11-18 20:46:03 +00:00

npm inc froze the publishing accounts, so for all intents and purposes xlsx-cli is stuck.

There are a few ways to work around the problem:

A) if you are installing in a project, use a package.json override:

{
  "dependencies": {
    "xlsx-cli": "^1.1.3"
  },
  "overrides": {
    "xlsx": "https://cdn.sheetjs.com/xlsx-0.19.0/xlsx-0.19.0.tgz"
  }
}

This override forces npm to use the pinned version tarball (with the same shasum as the latest tarball from a few days ago)

B) make a standalone binary (https://docs.sheetjs.com/docs/demos/cli#nodejs)

C) integrate the script directly (https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/packages/xlsx-cli source tree)

npm inc froze the publishing accounts, so for all intents and purposes [`xlsx-cli`](https://www.npmjs.com/package/xlsx-cli) is stuck. There are a few ways to work around the problem: A) if you are installing in a project, use a `package.json` override: ```json { "dependencies": { "xlsx-cli": "^1.1.3" }, "overrides": { "xlsx": "https://cdn.sheetjs.com/xlsx-0.19.0/xlsx-0.19.0.tgz" } } ``` This override forces npm to use the pinned version tarball (with the same shasum as the latest tarball from a few days ago) B) make a standalone binary (https://docs.sheetjs.com/docs/demos/cli#nodejs) C) integrate the script directly (https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/packages/xlsx-cli source tree)

sheetjs closed this issue

2022-11-18 20:46:03 +00:00

Sign in to join this conversation.