yarn2nix: Handle lockfile entries with multiple integrity hashes

Some NPM packages provide multiple integrity hashes with different algorithms. These are space separated, like below: ``` tar@^4: version "4.4.19" resolved "https://registry.yarnpkg.com/tar/-/tar-4.4.19.tgz#2e4d7263df26f2b914dee10c825ab132123742f3" integrity "sha1-Lk1yY98m8rkU3uEMglqxMhI3QvM= sha512-a20gEsvHnWe0ygBY8JbxoM4w3SJdhc7ZAuxkLqh+nvNQN2IOt0B5lLgM490X5Hl8FF0dl0tOf2ewFYAlIFgzVA==" ``` Currently, yarn2nix isn't able to handle these lockfile entries, producing an error like `error: hash 'Lk1yY98m8rkU3uEMglqxMhI3QvM= sha512' has wrong length for hash type 'sha1'`. This is because it isn't aware that spaces could separate multiple hashes. This commit uses the official Standard Subresource Integrity package from npm to parse the integrity line, and pick the best available algorithm. It also replaced many of the local yarn2nix entries with sha512, even ones that don't include it in the lockfile. Not sure how that happened, but it works in practice! The addition of `ssri` may also reduce signs and symptoms of depression.
2022-10-26 19:23:08 -05:00 · 2022-10-26 19:23:08 -05:00 · 0bb8e94900
parent 4f8287f3d5
commit 0bb8e94900
4 changed files with 341 additions and 289 deletions
--- a/pkgs/development/tools/yarn2nix-moretea/yarn2nix/lib/generateNix.js
+++ b/pkgs/development/tools/yarn2nix-moretea/yarn2nix/lib/generateNix.js
@ -1,4 +1,5 @@
 const R = require('ramda')
+const ssri = require("ssri");

 const urlToName = require('./urlToName')
 const { execFileSync } = require('child_process')
@ -103,7 +104,14 @@ function fetchLockedDep(builtinFetchGit) {
      return fetchgit(fileName, urlForGit, rev, branch || 'master', builtinFetchGit)
    }

-    const [algo, hash] = integrity ? integrity.split('-') : ['sha1', sha1OrRev]
+    // Pull out integrity hash, providing a default and using the "best" algorithm if there are multiple.
+    let algo = "sha1";
+    let hash = sha1OrRev;
+    if (integrity) {
+      const integrities = ssri.parse(integrity);
+      algo = integrities.pickAlgorithm();
+      hash = integrities[algo][0].hexDigest();
+    }

    return `    {
      name = "${fileName}";
--- a/pkgs/development/tools/yarn2nix-moretea/yarn2nix/package.json
+++ b/pkgs/development/tools/yarn2nix-moretea/yarn2nix/package.json
@ -21,7 +21,8 @@
    "@yarnpkg/lockfile": "^1.1.0",
    "deep-equal": "^1.0.1",
    "docopt": "^0.6.2",
-    "ramda": "^0.26.1"
+    "ramda": "^0.26.1",
+    "ssri": "^10.0.0"
  },
  "devDependencies": {
    "babel-eslint": "^10.0.1",
--- a/pkgs/development/tools/yarn2nix-moretea/yarn2nix/yarn.lock
+++ b/pkgs/development/tools/yarn2nix-moretea/yarn2nix/yarn.lock
@ -2228,6 +2228,13 @@ minimist@^1.2.0, minimist@^1.2.5:
  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602"
  integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==

+minipass@^3.1.1:
+  version "3.3.4"
+  resolved "https://registry.yarnpkg.com/minipass/-/minipass-3.3.4.tgz#ca99f95dd77c43c7a76bf51e6d200025eee0ffae"
+  integrity sha512-I9WPbWHCGu8W+6k1ZiGpPu0GkoKBeorkfKNuAFBNS1HNFJvke82sxvI5bzcCNpWPorkOO5QQ+zomzzwRxejXiw==
+  dependencies:
+    yallist "^4.0.0"
+
 mixin-deep@^1.2.0:
  version "1.3.2"
  resolved "https://registry.yarnpkg.com/mixin-deep/-/mixin-deep-1.3.2.tgz#1120b43dc359a785dce65b55b82e257ccf479566"
@ -3136,6 +3143,13 @@ sprintf-js@~1.0.2:
  resolved "https://registry.yarnpkg.com/sprintf-js/-/sprintf-js-1.0.3.tgz#04e6926f662895354f3dd015203633b857297e2c"
  integrity sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=

+ssri@^10.0.0:
+  version "10.0.0"
+  resolved "https://registry.yarnpkg.com/ssri/-/ssri-10.0.0.tgz#1e34554cbbc4728f5290674264e21b64aaf27ca7"
+  integrity sha512-64ghGOpqW0k+jh7m5jndBGdVEoPikWwGQmBNN5ks6jyUSMymzHDTlnNHOvzp+6MmHOljr2MokUzvRksnTwG0Iw==
+  dependencies:
+    minipass "^3.1.1"
+
 staged-git-files@1.1.2:
  version "1.1.2"
  resolved "https://registry.yarnpkg.com/staged-git-files/-/staged-git-files-1.1.2.tgz#4326d33886dc9ecfa29a6193bf511ba90a46454b"
@ -3545,6 +3559,11 @@ yallist@^2.1.2:
  resolved "https://registry.yarnpkg.com/yallist/-/yallist-2.1.2.tgz#1c11f9218f076089a47dd512f93c6699a6a81d52"
  integrity sha1-HBH5IY8HYImkfdUS+TxmmaaoHVI=

+yallist@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/yallist/-/yallist-4.0.0.tgz#9bb92790d9c0effec63be73519e11a35019a3a72"
+  integrity sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==
+
 yargs-parser@^8.0.0:
  version "8.1.0"
  resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-8.1.0.tgz#f1376a33b6629a5d063782944da732631e966950"
--- a/pkgs/development/tools/yarn2nix-moretea/yarn2nix/yarn.nix
+++ b/pkgs/development/tools/yarn2nix-moretea/yarn2nix/yarn.nix