Skip to content

fix: resolve uWebSockets.js via https, not ssh, in package-lock.json#561

Merged
kriszyp merged 2 commits into
mainfrom
kris/fix-uws-lockfile-https
Jul 11, 2026
Merged

fix: resolve uWebSockets.js via https, not ssh, in package-lock.json#561
kriszyp merged 2 commits into
mainfrom
kris/fix-uws-lockfile-https

Conversation

@kriszyp

@kriszyp kriszyp commented Jul 10, 2026

Copy link
Copy Markdown
Member

Summary

  • uWebSockets.js (added in #1096 as an optional dependency for HARPER_UWS_UDS/HARPER_UWS_HTTP) is locked in package-lock.json to a git+ssh:// URL.
  • Our Docker build stage (Dockerfile, build target) has no SSH credentials for github.com. npm ci treats the failed clone as an optional-dependency failure and silently skips it — no error, no warning, build succeeds without it.
  • Net effect: the shipped image never bundles the native uWebSockets.js addon, so HARPER_UWS_UDS/HARPER_UWS_HTTP are inert even when explicitly set — confirmed on a live 5.2.0-alpha.2 dev cluster (git binary is present via buildpack-deps:bookworm, but no SSH key exists to satisfy the locked URL).

Fix

One-line change: resolved for uWebSockets.js in package-lock.json from git+ssh:// to git+https:// (same commit, same tag v20.68.0). Public-repo HTTPS clone needs no credentials.

Verification

Ran npm ci in a HOME-stripped, credential-less environment (no ~/.ssh, no SSH agent) matching the Docker build stage:

  • Before this fix: uWebSockets.js silently absent from node_modules (0 native .node binaries).
  • After this fix: installs cleanly, all 15 platform/ABI native binaries present.

Test plan

  • CI Docker build picks up the change; confirm the resulting image contains node_modules/uWebSockets.js/*.node
  • Enable HARPER_UWS_UDS on a dev cluster behind symphony and confirm the uWS backend actually engages (next step from #1096's rollout plan)

The optional dependency (#1096) was locked to a git+ssh:// URL, which
requires a private key against github.com. Our Docker build stage has
no SSH credentials, so npm silently skips it as a failed optional
dependency — the resulting image never bundles the native addon, and
HARPER_UWS_UDS / HARPER_UWS_HTTP are inert even when set.

git+https needs no credentials for a public repo. Verified npm ci
installs uWebSockets.js's native binaries successfully in a
credential-less, HOME-stripped environment matching the Docker build
stage (previously failed silently there).
@kriszyp kriszyp requested a review from a team as a code owner July 10, 2026 21:08

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the dependency resolution URL for uWebSockets.js in package-lock.json from SSH to HTTPS. There are no review comments, and I have no feedback to provide.

@claude

claude Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Reviewed; no blockers found.

Comment thread package-lock.json Outdated
The previous fix (hand-editing package-lock.json's resolved field to
git+https) only patched the lockfile snapshot. package.json still
declared the dependency via the github: shorthand
(github:uNetworking/uWebSockets.js#v20.68.0), and npm/hosted-git-info
canonicalizes ANY github.com git dependency back to git+ssh:// when
regenerating — confirmed this happens even with an explicit
git+https:// spec in package.json, with a clean npm cache. A future
plain `npm install` would have silently reverted the lockfile fix and
reintroduced the silent-skip-in-Docker bug.

Switch to a plain tarball URL
(https://.../archive/<sha>.tar.gz) instead. npm treats this as a
remote-tarball dependency, not a hosted-git one, so hosted-git-info's
ssh canonicalization never applies — resolved stays a plain https URL
with a pinned integrity hash, immune to regeneration regressing it.

Verified npm ci installs all 15 native .node binaries in a
HOME-stripped, credential-less environment (matching the Docker build
stage) both before and after a full npm install regenerates the
lockfile from package.json.
@kriszyp kriszyp merged commit 6b91c0d into main Jul 11, 2026
34 checks passed
@kriszyp kriszyp deleted the kris/fix-uws-lockfile-https branch July 11, 2026 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants