Page MenuHomePhabricator

npm checksum mismatch for ProofreadPage npm dependency: openseadragon
Open, MediumPublic

Description

The 1.39.0-wmf.1 (T300203) branch cut change for mediawiki/core is blocked due to CI failing. A npm dependency of mediawiki/extensions/ProofreadPage has a checksum mismatch.

Build: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/772054

npm selenium-test error:

INFO:quibble.commands:Running webdriver test in /workspace/src/extensions/ProofreadPage
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN tarball tarball data for openseadragon@git+ssh://git@github.com/openseadragon/openseadragon.git#6cb2c9e7bc4adebe28e386a093890a6c3e353c6b (sha512-M4Zc9ae11LgtnZcZPgpLH9ToXbjUiLOcBUlvx6jUq1yFb+yvvmFT+hMOzXFcqcv4jjq1NFS04OcX477vJOxY/w==) seems to be corrupted. Trying again.
npm WARN tarball tarball data for openseadragon@git+ssh://git@github.com/openseadragon/openseadragon.git#6cb2c9e7bc4adebe28e386a093890a6c3e353c6b (sha512-M4Zc9ae11LgtnZcZPgpLH9ToXbjUiLOcBUlvx6jUq1yFb+yvvmFT+hMOzXFcqcv4jjq1NFS04OcX477vJOxY/w==) seems to be corrupted. Trying again.
npm ERR! code EINTEGRITY
npm ERR! sha512-M4Zc9ae11LgtnZcZPgpLH9ToXbjUiLOcBUlvx6jUq1yFb+yvvmFT+hMOzXFcqcv4jjq1NFS04OcX477vJOxY/w== integrity checksum failed when using sha512: wanted sha512-M4Zc9ae11LgtnZcZPgpLH9ToXbjUiLOcBUlvx6jUq1yFb+yvvmFT+hMOzXFcqcv4jjq1NFS04OcX477vJOxY/w== but got sha512-cEte65qHZpa7HWAg9SGkUB+8huzEgmN8TBg03KEe/GPwyyDpFKt9pe9iZacULrSO+9CDx5Q8HKasDv1MRd7LBQ==. (655449 bytes)

npm ERR! A complete log of this run can be found in:
npm ERR!     /cache/npm/_logs/2022-03-21T02_16_36_929Z-debug.log

Event Timeline

Mentioned in SAL (#wikimedia-operations) [2022-03-21T08:43:42Z] <hashar> Train blocked due to a npm checksum mismatch preventing CI from merging in the mediawiki/core 1.39.0-wmf.1 change which create the branch. T304286

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ProofreadPage/+/771741 has updated the npm dev dependencies and the package-lock.json went from lockfile version 1 to 2 (I am assuming that got regenerated with npm 7).

+       "packages": {
+               "": {
+                       "dependencies": {
+                               "openseadragon": "git+https://github.com/openseadragon/openseadragon.git#6cb2c9e7bc4adebe28e386a093890a6c3e353c6b"
+               "node_modules/openseadragon": {
+                       "version": "2.4.2",
+                       "resolved": "git+ssh://git@github.com/openseadragon/openseadragon.git#6cb2c9e7bc4adebe28e386a093890a6c3e353c6b",
+                       "integrity": "sha512-M4Zc9ae11LgtnZcZPgpLH9ToXbjUiLOcBUlvx6jUq1yFb+yvvmFT+hMOzXFcqcv4jjq1NFS04OcX477vJOxY/w==",
+                       "license": "BSD-3-Clause"

The source has switched from https to ssh:

                "openseadragon": {
-                       "version": "git+https://github.com/openseadragon/openseadragon.git#6cb2c9e7bc4adebe28e386a093890a6c3e353c6b",
-                       "from": "git+https://github.com/openseadragon/openseadragon.git#6cb2c9e7bc4adebe28e386a093890a6c3e353c6b"
+                       "version": "git+ssh://git@github.com/openseadragon/openseadragon.git#6cb2c9e7bc4adebe28e386a093890a6c3e353c6b",
+                       "from": "openseadragon@git+https://github.com/openseadragon/openseadragon.git#6cb2c9e7bc4adebe28e386a093890a6c3e353c6b"
                },

wanted:
sha512-M4Zc9ae11LgtnZcZPgpLH9ToXbjUiLOcBUlvx6jUq1yFb+yvvmFT+hMOzXFcqcv4jjq1NFS04OcX477vJOxY/w==
but got:
sha512-cEte65qHZpa7HWAg9SGkUB+8huzEgmN8TBg03KEe/GPwyyDpFKt9pe9iZacULrSO+9CDx5Q8HKasDv1MRd7LBQ==

.

ProofreadPage pins OpenSeaDragon to a specific git hash instead of a tagged release for some reason.. I guess the fix would be to replace that with a tagged release instead.

Yeah, the git hash was pinned since the then current version of Openseadragon (v2.4.2) did not have a few of the features that we required. Now that v3.0.0 is released, we should update the dependencies to the newer version

Change 772346 had a related patch set uploaded (by Majavah; author: Majavah):

[mediawiki/extensions/ProofreadPage@master] Revert "build: Update devDependencies"

https://gerrit.wikimedia.org/r/772346

I reproduced it with Fresh:

$ /usr/local/bin/fresh-node14
Unable to find image 'docker-registry.wikimedia.org/releng/node14-test-browser:0.0.2-s4' locally
0.0.2-s4: Pulling from releng/node14-test-browser
aa694774c407: Already exists 
1ccfbda525e7: Already exists 
ad942625bd59: Already exists 
52cf4b170441: Already exists 
a513240338ae: Pull complete 
df7dc013492d: Pull complete 
b62c105991c6: Pull complete 
2f2e52ab1bed: Pull complete 
37068ac80b3e: Pull complete 
6ba3ac2a592f: Pull complete 
9766c34093fa: Pull complete 
442b5ede7413: Pull complete 
8c1ac7c7d4b3: Pull complete 
Digest: sha256:a3ec47c80dcd1f7cc0998786c2764a51348f7b2f9fd87113f0d7639371220292
Status: Downloaded newer image for docker-registry.wikimedia.org/releng/node14-test-browser:0.0.2-s4
# fresh: 22.01.1
# image: docker-registry.wikimedia.org/releng/node14-test-browser:0.0.2-s4
# software: Debian GNU/Linux 11 (bullseye)
#           Node.js v14.17.5 (npm 7.21.0)
#           Chromium 97.0.4692.99
#           Mozilla Firefox 91.5.0esr
#           JSDuck 5.3.4 (Ruby 2.7.4) ruby 2.7.4p191
# mount: /ProofreadPage      ➟ /home/hashar/projects/mediawiki/extensions/ProofreadPage      (read-write)
#        /ProofreadPage/.git ➟ /home/hashar/projects/mediawiki/extensions/ProofreadPage/.git (read-only)

🌱  Fresh!

I have no name!@d469d3264c5d:/ProofreadPage$ npm install
I have no name!@d469d3264c5d:/ProofreadPage$ npm install
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN tarball tarball data for openseadragon@git+ssh://git@github.com/openseadragon/openseadragon.git#6cb2c9e7bc4adebe28e386a093890a6c3e353c6b (sha512-M4Zc9ae11LgtnZcZPgpLH9ToXbjUiLOcBUlvx6jUq1yFb+yvvmFT+hMOzXFcqcv4jjq1NFS04OcX477vJOxY/w==) seems to be corrupted. Trying again.
⸨##################⸩ ⠸ reify:eslint-utils: WARN tarball tarball data for opens
⸨##################⸩ ⠸ reify:eslint-utils: WARN tarball tarball data for opens
npm WARN tarball tarball data for openseadragon@git+ssh://git@github.com/openseadragon/openseadragon.git#6cb2c9e7bc4adebe28e386a093890a6c3e353c6b (sha512-M4Zc9ae11LgtnZcZPgpLH9ToXbjUiLOcBUlvx6jUq1yFb+yvvmFT+hMOzXFcqcv4jjq1NFS04OcX477vJOxY/w==) seems to be corrupted. Trying again.
npm ERR! code EINTEGRITY
npm ERR! sha512-M4Zc9ae11LgtnZcZPgpLH9ToXbjUiLOcBUlvx6jUq1yFb+yvvmFT+hMOzXFcqcv4jjq1NFS04OcX477vJOxY/w== integrity checksum failed when using sha512: wanted sha512-M4Zc9ae11LgtnZcZPgpLH9ToXbjUiLOcBUlvx6jUq1yFb+yvvmFT+hMOzXFcqcv4jjq1NFS04OcX477vJOxY/w== but got sha512-cEte65qHZpa7HWAg9SGkUB+8huzEgmN8TBg03KEe/GPwyyDpFKt9pe9iZacULrSO+9CDx5Q8HKasDv1MRd7LBQ==. (655449 bytes)

npm ERR! A complete log of this run can be found in:
npm ERR!     /cache/_logs/2022-03-21T09_22_58_978Z-debug.log
/cache/_logs/2022-03-21T09_22_58_978Z-debug.log
2770 http fetch GET 200 https://codeload.github.com/openseadragon/openseadragon/tar.gz/6cb2c9e7bc4adebe28e386a093890a6c3e353c6b 27306ms (cache miss)
2771 warn tarball tarball data for openseadragon@git+ssh://git@github.com/openseadragon/openseadragon.git#6cb2c9e7bc4adebe28e386a093890a6c3e353c6b (sha512-M4Zc9ae11LgtnZcZPgpLH9ToXbjUiLOcBUlvx6jUq1yFb+yvvmFT+hMOzXFcqcv4jjq1NFS04OcX477vJOxY/w==) seems to be corrupted. Trying again.
2772 http fetch GET 200 https://codeload.github.com/openseadragon/openseadragon/tar.gz/6cb2c9e7bc4adebe28e386a093890a6c3e353c6b 881ms (cache revalidated)
2773 warn tarball tarball data for openseadragon@git+ssh://git@github.com/openseadragon/openseadragon.git#6cb2c9e7bc4adebe28e386a093890a6c3e353c6b (sha512-M4Zc9ae11LgtnZcZPgpLH9ToXbjUiLOcBUlvx6jUq1yFb+yvvmFT+hMOzXFcqcv4jjq1NFS04OcX477vJOxY/w==) seems to be corrupted. Trying again.
2774 timing reify:rollback:createSparse Completed in 1855ms
2775 timing reify:rollback:retireShallow Completed in 0ms
2776 timing command:install Completed in 293029ms
2777 verbose stack Error: sha512-M4Zc9ae11LgtnZcZPgpLH9ToXbjUiLOcBUlvx6jUq1yFb+yvvmFT+hMOzXFcqcv4jjq1NFS04OcX477vJOxY/w== integrity checksum failed when using sha512: wanted sha512-M4Zc9ae11LgtnZcZPgpLH9ToXbjUiLOcBUlvx6jUq1yFb+yvvmFT+hMOzXFcqcv4jjq1NFS04OcX477vJOxY/w== but got sha512-cEte65qHZpa7HWAg9SGkUB+8huzEgmN8TBg03KEe/GPwyyDpFKt9pe9iZacULrSO+9CDx5Q8HKasDv1MRd7LBQ==. (655449 bytes)
2777 verbose stack     at IntegrityStream.[_onEnd] (/srv/npm/node_modules/ssri/index.js:94:19)
2777 verbose stack     at IntegrityStream.emit (/srv/npm/node_modules/ssri/index.js:67:35)
2777 verbose stack     at IntegrityStream.[maybeEmitEnd] (/srv/npm/node_modules/minipass/index.js:357:12)
2777 verbose stack     at IntegrityStream.end (/srv/npm/node_modules/minipass/index.js:237:27)
2777 verbose stack     at /srv/npm/node_modules/pacote/lib/fetcher.js:234:58
2778 verbose cwd /ProofreadPage
2779 verbose Linux 5.10.0-12-amd64
2780 verbose argv "/usr/bin/node" "/usr/bin/npm" "install"
2781 verbose node v14.17.5
2782 verbose npm  v7.21.0
2783 error code EINTEGRITY
2784 error sha512-M4Zc9ae11LgtnZcZPgpLH9ToXbjUiLOcBUlvx6jUq1yFb+yvvmFT+hMOzXFcqcv4jjq1NFS04OcX477vJOxY/w== integrity checksum failed when using sha512: wanted sha512-M4Zc9ae11LgtnZcZPgpLH9ToXbjUiLOcBUlvx6jUq1yFb+yvvmFT+hMOzXFcqcv4jjq1NFS04OcX477vJOxY/w== but got sha512-cEte65qHZpa7HWAg9SGkUB+8huzEgmN8TBg03KEe/GPwyyDpFKt9pe9iZacULrSO+9CDx5Q8HKasDv1MRd7LBQ==. (655449 bytes)
2785 verbose exit 1
hashar lowered the priority of this task from Unbreak Now! to Medium.Mar 21 2022, 9:56 AM

Thanks @Majavah for the revert, as a result this is no more a blocker for the train.

Left to be figured out is why npm reports a checksum mismatch now, even though the original change proposed to ProofreadPage passed CI and merged just fine. Maybe some state changed since then.

Change 772422 had a related patch set uploaded (by Hashar; author: Esanders):

[mediawiki/extensions/ProofreadPage@master] build: Update devDependencies

https://gerrit.wikimedia.org/r/772422

@Esanders did the npm bump via https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ProofreadPage/+/771741 and the build passed https://integration.wikimedia.org/ci/job/wmf-quibble-selenium-php72-docker/141543/console (I have marked it to be kept forever).

I have reverted the change and send it again now as https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ProofreadPage/+/772422/ and it fails CI now: https://integration.wikimedia.org/ci/job/wmf-quibble-selenium-php72-docker/141961/console (I have marked it to be kept forever).

They both have:

node14.17.5
npm7.21.0

Maybe we had the correct one in our cache for the master branch which npm would have reused.

Change 772422 abandoned by Hashar:

[mediawiki/extensions/ProofreadPage@master] build: Update devDependencies

Reason:

https://gerrit.wikimedia.org/r/772422