Verify the js-yaml package integrity #700
Conversation
LaurentGoderre
force-pushed
the
check-js-yaml
branch
from
5548857
to
13074fb
Compare
There was a problem hiding this comment.
I don't love the added /dist/ directory, but as noted in #700 (comment), the alternatives are probably very slightly worse (IMO) 👍
There is a minor nit with the checksum though that I think we should move up next to the JSYAML_VERSION variable since when one changes they both have to. If that checksum is published on a webpage somewhere, it'd also be helpful to make sure we're linking to that in a comment next to it (so that it's easier to figure out where it comes from if/when we update it).
| wget -O /opt/js-yaml/js-yaml.tgz https://registry.npmjs.org/js-yaml/-/js-yaml-${JSYAML_VERSION}.tgz; \ | ||
| echo "662e32319bdd378e91f67578e56a34954b0a2e33aca11d70ab9f4826af24b941 */opt/js-yaml/js-yaml.tgz" | sha256sum -c -; \ | ||
| tar -xz --strip-components=1 -f /opt/js-yaml/js-yaml.tgz -C /opt/js-yaml package/dist/js-yaml.js package/package.json; \ | ||
| rm -rf /opt/js-yaml/js-yaml.tgz; \ |
There was a problem hiding this comment.
Very minor nit, but -rf isn't necessary here any more (neither recursive nor force should be required to clean this up):
| rm -rf /opt/js-yaml/js-yaml.tgz; \ | |
| rm /opt/js-yaml/js-yaml.tgz; \ |
| wget -O /opt/js-yaml/package.json "https://github.com/nodeca/js-yaml/raw/${JSYAML_VERSION}/package.json"; \ | ||
| ln -s /opt/js-yaml/js-yaml.js /js-yaml.js; \ | ||
| wget -O /opt/js-yaml/js-yaml.tgz https://registry.npmjs.org/js-yaml/-/js-yaml-${JSYAML_VERSION}.tgz; \ | ||
| echo "662e32319bdd378e91f67578e56a34954b0a2e33aca11d70ab9f4826af24b941 */opt/js-yaml/js-yaml.tgz" | sha256sum -c -; \ |
There was a problem hiding this comment.
Unnecessary use of double quotes: 👀
| echo "662e32319bdd378e91f67578e56a34954b0a2e33aca11d70ab9f4826af24b941 */opt/js-yaml/js-yaml.tgz" | sha256sum -c -; \ | |
| echo '662e32319bdd378e91f67578e56a34954b0a2e33aca11d70ab9f4826af24b941 */opt/js-yaml/js-yaml.tgz' | sha256sum -c -; \ |
Alternatively, we could keep the double quotes and move the checksum to live up with the version number that actually influences it (ENV JSYAML_SHA256 ...), which is probably a better change.
|
I don't love the added dist either but couldn't get rid of it with the extract command alone. If I use sttip-components 2, the package.json doesn't get extracted |
No description provided.