Think Twice before Force Publish NPM Package

June 03, 2023

I traced an interesting bug in the project using Vite CDN recently. A teammate deployed a tested feature to the staging environment to prepare for the regular release, but the QA reported that the whole product was broken, users can't do anything. He reverted the commits to do a quick fix, it was still broken after he did the rollback, it's hardly unbelievable.

I did some quick investigation, only found that the build result of CI is different from my personal laptop, some hash of chunk didn't match. To confirm my assumption, I deployed my personal laptop build result, it worked again! The sametime my teammate inspected the build log of CI, and found such error: PNPM TARBALL INTEGRITY ERROR And all the installed package dependencies versions were the latest and totally wrong. I checked the dependency caused the issue, it's a private dependency maintained by our team and commented out. I removed it and pushed, the issue was confirmed solved after the CI successfully deployed the build.

How to explain?

A guess is that some teammate forcefully published the package and overwrite an existing version, and I asked the one who maintained the package, he confirmed that he published forcefully recently. Because the CI pipeline always do a clean install, so pnpm can't find a package with matched integrity because of the force publish, and it installs all the latest dependencies by default after try a couple of times. What caused the issue is latest Vue3 didn't work with current manualChunks of build.rollupOptions.output.

How to Avoid such issue Permanently?

It's obvious that the maintainers of OSS packages used in a project may still make such an error, so I try to find a way to avoid such issue permanently.

The official document of pnpm install says:

pnpm install is used to install all dependencies for a project.

In a CI environment, installation fails if a lockfile is present but needs an update.

The command only fails in a CI environments. You can enable frozen-lockfile option to make it fail explicitly.

Other Package Manager

Profile picture

Written by Priestch who lives and works in Xi'an building useful things. You can follow him on Github