Skip to content

fix: npm deps on git+https urls #2592

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jbedard merged 1 commit into from
Dec 22, 2025
Merged

fix: npm deps on git+https urls #2592

jbedard merged 1 commit into from
Dec 22, 2025
+889 −279

Conversation

@jbedard
Copy link
Member

@jbedard jbedard commented Dec 19, 2025
edited
Loading

Found while adding more tests for #2403

Changes are visible to end-users: no

Test plan

  • Covered by existing test cases
  • New test cases added

@aspect-workflows
Copy link

aspect-workflows bot commented Dec 19, 2025
edited
Loading

Bazel 7 (Test)

All tests were cache hits

294 tests (100.0%) were fully cached saving 39s.

Bazel 8 (Test)

All tests were cache hits

257 tests (100.0%) were fully cached saving 36s.

Bazel 7 (Test)

e2e/bzlmod

All tests were cache hits

5 tests (100.0%) were fully cached saving 559ms.

Bazel 7 (Test)

e2e/git_dep_metadata

1 test target passed

Targets 
//:no_git_metadata_test23ms

Bazel 7 (Test)

e2e/git_dep_no_tar

All tests were cache hits

1 test (100.0%) was fully cached saving 24ms.

Bazel 7 (Test)

e2e/gyp_no_install_script

All tests were cache hits

2 tests (100.0%) were fully cached saving 153ms.

Bazel 7 (Test)

e2e/js_image_oci

All tests were cache hits

1 test (100.0%) was fully cached saving 6s.

Bazel 7 (Test)

e2e/npm_link_package

All tests were cache hits

2 tests (100.0%) were fully cached saving 206ms.

Bazel 7 (Test)

e2e/npm_link_package-esm

All tests were cache hits

2 tests (100.0%) were fully cached saving 224ms.

Bazel 7 (Test)

e2e/npm_link_package-rerooted

All tests were cache hits

2 tests (100.0%) were fully cached saving 199ms.

Bazel 7 (Test)

e2e/npm_translate_lock

All tests were cache hits

3 tests (100.0%) were fully cached saving 681ms.

Bazel 7 (Test)

e2e/npm_translate_lock_disable_hooks

All tests were cache hits

3 tests (100.0%) were fully cached saving 257ms.

Bazel 7 (Test)

e2e/npm_translate_lock_empty

All tests were cache hits

2 tests (100.0%) were fully cached saving 180ms.

Bazel 7 (Test)

e2e/npm_translate_lock_exclude_package_contents

All tests were cache hits

1 test (100.0%) was fully cached saving 34ms.

Bazel 7 (Test)

e2e/npm_translate_lock_link_workspace

All tests were cache hits

2 tests (100.0%) were fully cached saving 225ms.

Bazel 7 (Test)

e2e/npm_translate_lock_multi

All tests were cache hits

2 tests (100.0%) were fully cached saving 164ms.

Bazel 7 (Test)

e2e/npm_translate_lock_partial_clone

All tests were cache hits

1 test (100.0%) was fully cached saving 61ms.

Bazel 7 (Test)

e2e/npm_translate_lock_replace_packages

All tests were cache hits

4 tests (100.0%) were fully cached saving 487ms.

Bazel 7 (Test)

e2e/npm_translate_lock_subdir_patch

All tests were cache hits

1 test (100.0%) was fully cached saving 95ms.

Bazel 7 (Test)

e2e/npm_translate_package_lock

All tests were cache hits

1 test (100.0%) was fully cached saving 31ms.

Bazel 7 (Test)

e2e/npm_translate_yarn_lock

All tests were cache hits

1 test (100.0%) was fully cached saving 31ms.

Bazel 7 (Test)

e2e/package_json_module

All tests were cache hits

1 test (100.0%) was fully cached saving 324ms.

Bazel 7 (Test)

e2e/patch_from_repo

All tests were cache hits

1 test (100.0%) was fully cached saving 31ms.

Bazel 7 (Test)

e2e/pnpm_lockfiles

All tests were cache hits

82 tests (100.0%) were fully cached saving 9s.

Bazel 7 (Test)

e2e/pnpm_repo_install

All tests were cache hits

1 test (100.0%) was fully cached saving 963ms.

Bazel 7 (Test)

e2e/pnpm_version

All tests were cache hits

1 test (100.0%) was fully cached saving 75ms.

Bazel 7 (Test)

e2e/pnpm_workspace

All tests were cache hits

15 tests (100.0%) were fully cached saving 3s.

Bazel 7 (Test)

e2e/pnpm_workspace_deps

All tests were cache hits

3 tests (100.0%) were fully cached saving 428ms.

Bazel 7 (Test)

e2e/pnpm_workspace_rerooted

All tests were cache hits

15 tests (100.0%) were fully cached saving 3s.

Bazel 7 (Test)

e2e/repo_mapping

All tests were cache hits

3 tests (100.0%) were fully cached saving 394ms.

Bazel 7 (Test)

e2e/runfiles

All tests were cache hits

1 test (100.0%) was fully cached saving 110ms.

Bazel 7 (Test)

e2e/stamped_package_json

All tests were cache hits

1 test (100.0%) was fully cached saving 44ms.

Bazel 7 (Test)

e2e/vendored_node

All tests were cache hits

1 test (100.0%) was fully cached saving 70ms.

Bazel 7 (Test)

e2e/vendored_tarfile

All tests were cache hits

1 test (100.0%) was fully cached saving 31ms.

Bazel 7 (Test)

e2e/verify_patches

All tests were cache hits

2 tests (100.0%) were fully cached saving 109ms.

Bazel 7 (Test)

e2e/worker

All tests were cache hits

1 test (100.0%) was fully cached saving 35ms.

Bazel 7 (Test)

e2e/workspace

All tests were cache hits

1 test (100.0%) was fully cached saving 35ms.

Buildifier      Format

@jbedard jbedard force-pushed the test-http-git branch 2 times, most recently from 484f51b to 9820b5b Compare December 19, 2025 22:47
@jbedard jbedard mentioned this pull request Dec 19, 2025
Merged
@jbedard jbedard changed the title test: lockfile tests for git repo via https fix: npm deps on git+https urls Dec 19, 2025
jbedard
jbedard commented Dec 19, 2025
View reviewed changes
npm/private/utils.bzl Outdated

def _is_git_repository_url(url):
return url.startswith("git+ssh://") or url.startswith("git+https://") or url.startswith("git@")
return url.startswith("git+ssh://") or url.startswith("git+https://") or url.startswith("git@") or url.startswith("https://git@")
Copy link
Member Author

@jbedard jbedard Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pnpm <9 (lockfile v54, 60, 61) tests reproduce this where the lockfile itself has the git repo specified as:

resolution: {repo: https://git@github.com/jquery/jquery.git}

I assume this is possible for pnpm 9+ as well but 9+ must fallback to non-git tarball https resolution instead of git.

Copy link
Member Author

@jbedard jbedard Dec 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See newer comment regarding deleting this is_git_repository_url

jbedard added a commit that referenced this pull request Dec 19, 2025
@jbedard
fix: do not serialize Label() via "".join() when tar command fails (#…
e6dc7a3 
…2593)

While debugging an error in
#2592 it was failing to
output an error message instead saying:
```
expected string for sequence element 0, got '@@aspect_bazel_lib~~toolchains~bsd_tar_darwin_arm64//:tar' of type Label
```

This change makes it output the args in a format such as:
```
Failed to extract package tarball. '[Label("@@aspect_bazel_lib~~toolchains~bsd_tar_darwin_arm64//:tar"), "-xf", "package.tgz", "--strip-components", "1", "-C", "package", "--no-same-owner", "--no-same-permissions"]' exited with 1:
```
which might have the ugly `[...]` braces but at least it's not failing
to output the error message.

### Changes are visible to end-users: no

### Test plan

- Covered by existing test cases
- Manual testing
jbedard added a commit that referenced this pull request Dec 19, 2025
@jbedard
fix: do not serialize Label() via "".join() when tar command fails (#…
06cea96 
…2593)

While debugging an error in
#2592 it was failing to
output an error message instead saying:
```
expected string for sequence element 0, got '@@aspect_bazel_lib~~toolchains~bsd_tar_darwin_arm64//:tar' of type Label
```

This change makes it output the args in a format such as:
```
Failed to extract package tarball. '[Label("@@aspect_bazel_lib~~toolchains~bsd_tar_darwin_arm64//:tar"), "-xf", "package.tgz", "--strip-components", "1", "-C", "package", "--no-same-owner", "--no-same-permissions"]' exited with 1:
```
which might have the ugly `[...]` braces but at least it's not failing
to output the error message.

### Changes are visible to end-users: no

### Test plan

- Covered by existing test cases
- Manual testing
@jbedard jbedard force-pushed the test-http-git branch 3 times, most recently from cfce535 to a06e6f6 Compare December 20, 2025 00:18
jbedard
jbedard commented Dec 20, 2025
View reviewed changes
npm/private/utils.bzl
)

def _is_git_repository_url(url):
return url.startswith("git+ssh://") or url.startswith("git+https://") or url.startswith("git@")
Copy link
Member Author

@jbedard jbedard Dec 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is also https://git@ which I had originally added to this. But there is also plain https:// which might be a git repo (and it probably ends with .git but might end with .git#commithash).

I think it's better to not do things based on URL and instead based on if a commit attr is specified, which we required anyway (see removed fail()).

jbedard
jbedard commented Dec 20, 2025
View reviewed changes
npm/private/npm_import.bzl

reproducible = False
package_src = _EXTRACT_TO_DIRNAME
if utils.is_git_repository_url(rctx.attr.url):
Copy link
Member Author

@jbedard jbedard Dec 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We explicitly set url to the lockfile repo field which for git+https version specifiers will be the plain https://github.com/foo/bar.git URL and not appear to be a git protocol.

We then assert that when fetching from git a commit is required. So instead lets just do things based on the commit attribute...

jbedard
jbedard commented Dec 20, 2025
View reviewed changes
e2e/pnpm_lockfiles/base/package.json
"@isaacs/cliui": "8.0.2",
"debug": "ngokevin/debug#9742c5f383a6f8046241920156236ade8ec30d53",
"esbuild": "0.27.0",
"highlightjs-git-https-notar": "git+https://gitea.osmocom.org/vyanitskiy/highlight.js.git#58dc5961f6f2bb8bc8bb1e7ce39f268a2fdd874f",
Copy link
Member Author

@jbedard jbedard Dec 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Github seems to provide tarballs for all commits so the pnpm 9+ lockfile references the tarball instead of using the git protocol.

Using this non-github public git repo ensures the git protocol is used on all pnpm version

jbedard
jbedard commented Dec 20, 2025
View reviewed changes
e2e/pnpm_lockfiles/v90/pnpm-lock.yaml
engines: {node: '>= 0.4'}

highlight.js@git+https://gitea.osmocom.org/vyanitskiy/highlight.js.git#58dc5961f6f2bb8bc8bb1e7ce39f268a2fdd874f:
resolution: {commit: 58dc5961f6f2bb8bc8bb1e7ce39f268a2fdd874f, repo: https://gitea.osmocom.org/vyanitskiy/highlight.js.git, type: git}
Copy link
Member Author

@jbedard jbedard Dec 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Notice the type: git where all the jquery ones are tarball

@jbedard jbedard merged commit e758431 into aspect-build:main Dec 22, 2025
113 checks passed
@jbedard jbedard deleted the test-http-git branch December 22, 2025 20:34
jbedard added a commit that referenced this pull request Dec 22, 2025
@jbedard
fix: npm deps on git+https urls (#2592)
6b433a8 
Found while adding more tests for
#2403

- Covered by existing test cases
- New test cases added
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexeagle alexeagle alexeagle approved these changes

@dzbarsky dzbarsky dzbarsky approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jbedard @alexeagle @dzbarsky