Latest version on NPM has old timestamps

Question

Latest version on NPM has old timestamps

Josniii opened this issue 6 years ago · comments

Installing the latest version through NPM results in the following files having very old timestamps:

find ./node_modules/* -mtime +10950
./node_modules/cacache/README.md
./node_modules/cacache/verify.js
./node_modules/cacache/CHANGELOG.md
./node_modules/cacache/README.es.md
./node_modules/cacache/locales/en.json
./node_modules/cacache/locales/es.json
./node_modules/cacache/locales/en.js
./node_modules/cacache/locales/es.js
./node_modules/cacache/en.js
./node_modules/cacache/rm.js
./node_modules/cacache/ls.js
./node_modules/cacache/index.js
./node_modules/cacache/es.js
./node_modules/cacache/lib/verify.js
./node_modules/cacache/lib/util/tmp.js
./node_modules/cacache/lib/util/y.js
./node_modules/cacache/lib/util/hash-to-segments.js
./node_modules/cacache/lib/util/fix-owner.js
./node_modules/cacache/lib/util/move-file.js
./node_modules/cacache/lib/memoization.js
./node_modules/cacache/lib/content/path.js
./node_modules/cacache/lib/content/rm.js
./node_modules/cacache/lib/content/write.js
./node_modules/cacache/lib/content/read.js
./node_modules/cacache/lib/entry-index.js
./node_modules/cacache/LICENSE.md
./node_modules/cacache/get.js
./node_modules/cacache/put.js

These cause issues with deployments to Elastic Beanstalk:
ERROR: ValueError :: ZIP does not support timestamps before 1980

I manually fixed these for now with find ./node_modules/* -mtime +10950 -exec touch {} + so I could get on with things, but I'd like to see this fixed as its a major nuisance when using EB.

Node version: 6.11.5
NPM version: 3.10.10

Luke r. · Answer 1 · Tue Feb 06 2018 19:31:01 GMT+0800 (China Standard Time)

Is this gonna be fixed ?

Kat Marchán · Answer 2 · Wed Feb 07 2018 03:28:11 GMT+0800 (China Standard Time)

Oh yikes! What version of zip is this?!

Hawk Newton · Answer 3 · Sat Feb 17 2018 01:54:12 GMT+0800 (China Standard Time)

It's happening for me when the AWS Elasticbeanstalk CLI tries to build a deployable.

Kat Marchán · Answer 4 · Sat Feb 17 2018 05:16:02 GMT+0800 (China Standard Time)

Honestly you should probably use a ZIP implementation that doesn't implode on old timestamps. This is a new feature of npm that allows us to generate tarballs with identical checksums across machines, and there's no way to change previously-published packages that suffer from this (cacache being one of them).

Additionally, I really don't consider this a bug in cacache: if you want a quick fix, I suggest you make your deploy script manually fix those time stamps, as OP shared, and just wait until the npm CLI takes action on this. You'll continue to see this error for the foreseeable future as users use versions of the CLI that don't have that hypothetical patch, though.

Since this is not a cacache bug, I'm closing this.

Kat Marchán · Answer 5 · Sat Feb 17 2018 05:16:51 GMT+0800 (China Standard Time)

Oh, and if you want somewhere to put this bug up: I suggest putting it in https://github.com/npm/node-tar/issues which is where this would be actionable.

Hawk Newton · Answer 6 · Sat Feb 17 2018 05:28:40 GMT+0800 (China Standard Time)

Have you considered using the date of the last commit for all your timestamps? Using unix 0 as a last modified date is going to have far reaching repercussions down the line.

Also, a few days ago it looks like 10.0.2 didn't have this problem. Did you re-release it by chance? I was under the impression npm's were immutable.

Kat Marchán · Answer 7 · Sat Feb 17 2018 05:39:02 GMT+0800 (China Standard Time)

@hawknewton the tarballs are indeed immutable. If you didn't notice there being a problem before, then you probably just didn't notice or something changed on your end.