Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

subdependency regression breaks node-gyp 9 #2848

Closed
legobeat opened this issue May 17, 2023 · 2 comments
Closed

subdependency regression breaks node-gyp 9 #2848

legobeat opened this issue May 17, 2023 · 2 comments

Comments

@legobeat
Copy link

legobeat commented May 17, 2023

Verbose output (from npm or node-gyp):

CI run on current main:

# Subtest: test/test-create-config-gypi.js
    # Subtest: config.gypi with no options
        1..2
        ok 1 - should be equal
        ok 2 - should be equal
    ok 1 - config.gypi with no options # time=22.437ms
    
    # Subtest: config.gypi with --debug
        1..1
        ok 1 - should be equal
    ok 2 - config.gypi with --debug # time=3.625ms
    
    # Subtest: config.gypi with custom options
        1..1
        ok 1 - should be equal
    ok 3 - config.gypi with custom options # time=2.86ms
    
    # Subtest: config.gypi with nodedir
        1..1
        ok 1 - should be equal
    ok 4 - config.gypi with nodedir # time=6.656ms
    
    # Subtest: config.gypi with --force-process-config
        1..1
        ok 1 - should be equal
    ok 5 - config.gypi with --force-process-config # time=3.603ms
    
    # Subtest: config.gypi parsing
        1..1
        ok 1 - should be equivalent
    ok 6 - config.gypi parsing # time=1.559ms
    
    1..6
    # time=67.566ms
ok 3 - test/test-create-config-gypi.js # time=603.309ms

/home/runner/work/node-gyp/node-gyp/node_modules/path-scurry/node_modules/lru-cache/dist/cjs/index.js:52
            this.signal.onabort?.(reason);
                                ^

SyntaxError: Invalid or unexpected token
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1143:10)
# Subtest: test/test-download.js
    1..0 # no tests found
not ok 4 - test/test-download.js # time=831.278ms
  ---
  timeout: 600000
  file: test/test-download.js
  childId: 3
  command: /opt/hostedtoolcache/node/14.21.3/x64/bin/node
  args:
    - '-r'
    - /home/runner/work/node-gyp/node-gyp/node_modules/esm/esm.js
    - test/test-download.js
  stdio:
    - 0
    - pipe
    - 2
  cwd: /home/runner/work/node-gyp/node-gyp
  exitCode: 1
  ...

The incompatible syntax got introduced in lru-cache update from 8 to 9:

https://npm-diff.app/[email protected]@9.0.3#dist/cjs/index.js-L52

Here we see release history of path-scurry, which introduces this dependency:

version | dependencies["lru-cache"] | release_time
----------------------------------------
0.0.0-0		2023-02-07T05:05:40.334Z
1.0.0	^7.14.1	2023-02-07T05:15:56.753Z
1.0.1	^7.14.1	2023-02-07T05:17:31.309Z
1.1.0	^7.14.1	2023-02-07T21:47:20.011Z
1.1.1	^7.14.1	2023-02-08T20:19:45.947Z
1.2.0	^7.14.1	2023-02-09T19:01:01.835Z
1.3.0	^7.14.1	2023-02-12T04:51:56.217Z
1.4.0	^7.14.1	2023-02-13T16:51:32.302Z
1.5.0	^7.14.1	2023-02-27T05:51:44.714Z
1.6.0	^7.14.1	2023-03-01T21:56:20.111Z
1.6.1	^7.14.1	2023-03-01T22:12:52.205Z
1.6.2	^7.14.1	2023-03-22T05:30:58.343Z
1.6.3	^7.14.1	2023-03-22T18:50:47.648Z
1.6.4	^9.0.0	2023-04-09T22:06:57.282Z
1.7.0	^9.0.0	2023-04-14T23:00:30.211Z
1.7.1	^9.1.1	2023-05-10T15:40:06.773Z
1.8.0	^9.1.1	2023-05-10T16:30:57.689Z
1.9.0	^9.1.1	2023-05-14T18:26:58.094Z
1.9.1	^9.1.1	2023-05-15T04:44:45.154Z

Bumping lru-cache from ^7.14.1 to ^9.0.0 was actually a breaking change. Since the node-gyp repo does not utilize a lockfile, this meant that builds started breaking since 2023-04-09.

Suggestions:

  • Fix in upstream, or pin lru-cache to unblock addressing unbreaking security fixes for node-gyp users on legacy environments.
  • Then deprecate Node.js 12 (and more?) in a new major release.
@legobeat legobeat changed the title incompatible dependency subdependency regression breaks node-gyp May 17, 2023
@legobeat legobeat changed the title subdependency regression breaks node-gyp subdependency regression breaks node-gyp 9 May 17, 2023
@legobeat
Copy link
Author

Some relevant conversation in #2796

legobeat added a commit to legobeat/node-gyp that referenced this issue May 17, 2023
This reverts commit 02480f6, thereby
rolling back dependency make-fetch-happen from ^11.0.3 to ^10.0.3.

The upgrade is breaking for node-fetch users as it has transitive
dependencies with syntax incompatible with supported Node.js versions.

Related:
- nodejs#2770
- nodejs#2837
- nodejs#2816
- nodejs#2848
- nodejs#2827
- nodejs#2796
legobeat added a commit to legobeat/node-gyp that referenced this issue Jun 26, 2023
This reverts commit 02480f6, thereby
rolling back dependency make-fetch-happen from ^11.0.3 to ^10.0.3.

The upgrade is breaking for node-fetch users as it has transitive
dependencies with syntax incompatible with supported Node.js versions.

Related:
- nodejs#2770
- nodejs#2837
- nodejs#2816
- nodejs#2848
- nodejs#2827
- nodejs#2796
@lukekarrys
Copy link
Member

v9.4.1 has been released which reverts the dependency changes (#2917) that caused this issue. Those changes will be released again as v10.0.0 with the changelog outlining the newly supported Node versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants