| Message ID | 20250922195517.1052823-1-jeroen@myspectrum.nl |
|---|---|
| State | New |
| Headers | show |
| Series | [RFC] fetch2: npm: do keep the sha256sum | expand |
diff --git a/lib/bb/fetch2/npm.py b/lib/bb/fetch2/npm.py index e469d6676..ad740f832 100644 --- a/lib/bb/fetch2/npm.py +++ b/lib/bb/fetch2/npm.py @@ -269,7 +269,8 @@ class Npm(FetchMethod): # Avoid conflicts between the environment data and: # - the proxy url checksum data = bb.data.createCopy(d) - data.delVarFlags("SRC_URI") + # XXX: What is the purpose of removing SRC_URI, it also removes the checksum... + #data.delVarFlags("SRC_URI") ud.proxy = Fetch([url], data) def _get_proxy_method(self, ud, d):
From: Jeroen Hofstee <jhofstee@victronenergy.com> commit 8d3232152e ("fetch2: read checksum from SRC_URI flag for npm") added npm to require a checksum. The checksum is also added with the `npm view` command which relies on downloaded data. Furthermore in _setup_proxy all the SRC_URI variables are removed, so an explicit local SRC_URI[sha256sum] is removed and it only checks the online checksum from npm view. This removes the data.delVarFlags("SRC_URI"), so the check works again, but given the comment "Avoid conflicts between the environment data and the proxy url checksum", there might be reason for that, but I wouldn't expect tarballs to differ when served directly or via a proxy. We might consider getting rid of npm_integrity completely and force having a local checksum and not depend on the npm infrastructure. --- lib/bb/fetch2/npm.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)