Skip to content

Add warnings if the lockfile doesn't match the Registry hashes #1360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
f-f wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add warnings if the lockfile doesn't match the Registry hashes #1360

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6d13333
Add warnings if the lockfile doesn't match the Registry hashes
f-f Jan 18, 2026
07cfd6a
Merge branch 'master' into f-f/hash-mismatch-warnings
f-f Jan 18, 2026
d76bc98
Point users to issue tracker in error message
f-f Jan 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 22 additions & 1 deletion src/Spago/Command/Fetch.purs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,7 +217,17 @@ run { packages: packagesRequestedToInstall, ensureRanges, isTest, isRepl } = do

fetchPackagesToLocalCache :: ∀ a. Map PackageName Package -> Spago (FetchEnv a) Unit
fetchPackagesToLocalCache packages = do
{ offline } <- ask
{ offline, workspace } <- ask
-- Build a map of expected integrities from the lockfile for verification
let
lockfileIntegrities :: Map (Tuple PackageName Version) Sha256
lockfileIntegrities = case workspace.packageSet.lockfile of
Left _ -> Map.empty
Right lockfile -> Map.fromFoldable $ Array.mapMaybe extractRegistryIntegrity $ Map.toUnfoldable lockfile.packages
where
extractRegistryIntegrity = case _ of
Tuple name (FromRegistry { version, integrity }) -> Just $ Tuple (Tuple name version) integrity
_ -> Nothing
-- Before starting to fetch packages we build a Map of AVars to act as locks for each git location.
-- This is so we don't have two threads trying to clone the same repo at the same time.
gitLocks <- liftAff $ map (Map.fromFoldable <<< List.catMaybes) $ for (Map.values packages) case _ of
Expand Down Expand Up @@ -246,6 +256,17 @@ fetchPackagesToLocalCache packages = do
Left err -> die $ "Couldn't read metadata, reason:\n " <> err
Right versionMetadata -> do
logDebug $ "Metadata read: " <> printJson Metadata.publishedMetadataCodec versionMetadata
-- Verify that the lockfile integrity matches the registry metadata
case Map.lookup (Tuple name v) lockfileIntegrities of
Just expectedIntegrity | expectedIntegrity /= versionMetadata.hash ->
logWarn $ Array.intercalate "\n"
Copy link
Member

@thomashoneyman thomashoneyman Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An alternative would be printing an error and exiting the process, and expecting that people can come to the issue tracker if they hit a weird error in Spago such as this

Copy link
Member Author

@f-f f-f Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am worried about the opposite problem: flooding the issue tracker if someone accidentally stumbles on this 😄

[ "Package " <> packageVersion <> " has a different hash in the lockfile"
, " (" <> Sha256.print expectedIntegrity <> ")"
, "than in the registry metadata"
, " (" <> Sha256.print versionMetadata.hash <> ")."
, "This shouldn't really happen, so please open an issue at https://github.com/purescript/spago/issues"
]
_ -> pure unit
-- then check if we have a tarball cached. If not, download it
let globalCachePackagePath = Paths.globalCachePath </> "packages" </> PackageName.print name
let archivePath = globalCachePackagePath </> (versionString <> ".tar.gz")
Expand Down
Loading