Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

node corepack is broken (yarn, pnpm, ...) #253

Closed
OmarTawfik opened this issue Dec 5, 2022 · 5 comments
Closed

node corepack is broken (yarn, pnpm, ...) #253

OmarTawfik opened this issue Dec 5, 2022 · 5 comments

Comments

@OmarTawfik
Copy link
Contributor

OmarTawfik commented Dec 5, 2022
edited
Loading

The preferred way to install tools like yarn and pnpm is through NodeJS corepack command:

The preferred way to manage Yarn is through Corepack, a new binary shipped with all Node.js releases starting from 16.10. It acts as an intermediary between you and Yarn, and lets you use different package manager versions across multiple projects without having to check-in the Yarn binary anymore.

For projects using hermit, this can be done via:

hermit install node
corepack enable

Which adds new symlinks to the ./bin directory, like yarn, yarnpkg, pnpm, and pnpx. And now I can just invoke them using yarn install as usual, which is great for local development!

However, these symlinks are added relative to my local Hermit folder (MacOS laptop):

ls -la ./bin/yarn
./bin/yarn -> ../../../Library/Caches/hermit/pkg/node-19.2.0/lib/node_modules/corepack/dist/yarn.js

Which means it is broken if I try to use it in CI (ubuntu), or check it into the repository so that other developers use it, since that path is only valid on my machine.

  1. Is there an alternative (Hermit-blessed) way of installing tools managed by corepack?
  2. If not, can these symlinks be corrected somehow to point to a portable path, that can work across different machines, and in CI?
@alecthomas
Copy link
Collaborator

alecthomas commented Dec 5, 2022
edited
Loading

Anything not directly managed by Hermit shouldn't be checked in. This is conceptually similar to using pip, or even npm, for example.

Usually though, we set an environment variable to tell package managers to install into .hermit/<tool> and the package adds that to the path, so if we can figure out how to tell corepack how to do that that would be ideal. You can see an example of that in the Node package itself.

@alecthomas alecthomas transferred this issue from cashapp/hermit Dec 5, 2022
@alecthomas
Copy link
Collaborator

Looking at the list of envars, it doesn't seem like there is one to set the install prefix, but it can be done via:

mkdir -p $NPM_CONFIG_PREFIX/bin
corepack enable --install-directory $NPM_CONFIG_PREFIX/bin

We can probably do this in an on install hook.

alecthomas added a commit that referenced this issue Dec 6, 2022
@alecthomas
Run "corepack enable" on Node install/upgrade.
c801298 
This is a little bit scary, as sometimes these changes can cause
unexpected effects, but it seems useful.

Will install into .hermit/node/bin

Fixes #253
@alecthomas
Copy link
Collaborator

The linked PR is a proof of concept but we should not merge this, as corepack is very explicitly marked experimental:

Due to its experimental status, Corepack currently needs to be explicitly enabled to have any effect.

@alecthomas
Copy link
Collaborator

I'm going to close this, as generally Hermit is not in the business of doing anything other than installing the base toolchain. Anything beyond that, such as npm, pip, etc. needs to be managed by the user.

@OmarTawfik
Copy link
Contributor Author

@alecthomas Many thanks for giving me a pointer. Will try that suggestion locally and see if I can come up with a fix.
We can revisit that issue if/once corepack is stabilized.

oren-zohar pushed a commit to oren-zohar/hermit-packages that referenced this issue Feb 26, 2023
@syncom
feat: verify installer checksum when bootstrapping (cashapp#253)
4802074 
We verify the downloaded install script's SHA-256 value against a known
checksum in `bin/hermit`. This ensures the integrity of the installer
when bootstrapping hermit.

We version (via file name suffix) the install script by the script's
short hash value, so that an install script can be uniquely identified
by its version / file name. The corresponding `bin/hermit` is generated
with `hermit init` for a project.

Note that an install script's "version" is unrelated to the version of
the hermit executable.
oren-zohar pushed a commit to oren-zohar/hermit-packages that referenced this issue Feb 26, 2023
@alecthomas
Hermit's installer process is fragile and this has exposed those issues.
3c579c6 
We'll revisit this later.

Revert "fix: use the right installer URL for the canary channel (cashapp#257)"

This reverts commit f4b87be.

Revert "fix: publish versioned installer script to canary"

This reverts commit 8b40b96.

Revert "feat: verify installer checksum when bootstrapping (cashapp#253)"

This reverts commit 4802074.
@OmarTawfik OmarTawfik mentioned this issue Mar 31, 2023
Closed
@nickajacks1 nickajacks1 mentioned this issue Nov 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alecthomas @OmarTawfik