Warning against sourcing Infusion from git-based package references

Antranig Basman antranig.basman at colorado.edu
Thu Jan 5 20:00:33 UTC 2017

Just before Christmas, Tony Adtkins and I ran into a very unfortunate cache corruption issue which seems to 
affect both yarn and npm, in the case where you are working with multiple versions of Infusion (or indeed, 
one imagines, any project) throughout a tree which at some sites is sourced via npm module references and at 
other sites is sourced via git URLs. It appears that our habit of storing the version number of a real 
released package within the package.json held within git (at any time) raises the possibility of the package 
manager's cache of the package contents becoming corrupt - including in a way not related directly to the 
version or package which is conflicting. This is written up at https://issues.gpii.net/browse/GPII-2179 and 
some commentary is on a pull request for infusion-docs where the issue was first encountered:

What we observed was that npm was capable of installing a version of Infusion *whose contents mismatched its 
package version* - in fact, were those of an unrelated and old version of Infusion which had been referenced 
via a git URL, a broken version which suffered from the problem described at 
https://github.com/fluid-project/infusion/pull/577#issuecomment-255065212 - this was referenced by some 
nested project, and the contents of this Infusion ended up displacing those in npm's cache when it resolved 
the top-level Infusion reference which was to a more recent, fixed version. In this case therefore 
Infusion's "self-deduping" algorithm was useless since the contents of the highest resolvable Infusion in 
the installed module tree were corrupt. Adtkins has confirmed that yarn is capable of generating this 
problem as well.

The take-home, executive summary is - do not reference Infusion via git repository references in 
package.json. If there is an urgent fix that you need, please ask a core team member to roll you a dev 
release which can be referenced via the npm registry - this is very quick and easy for them to do via the 
fluid-publish module.



More information about the fluid-work mailing list