Skip to content

fix: resolve uWebSockets.js via a tarball URL, not a github: git spec#1756

Merged
kriszyp merged 1 commit into
mainfrom
kris/fix-uws-lockfile-https
Jul 11, 2026
Merged

fix: resolve uWebSockets.js via a tarball URL, not a github: git spec#1756
kriszyp merged 1 commit into
mainfrom
kris/fix-uws-lockfile-https

Conversation

@kriszyp

@kriszyp kriszyp commented Jul 10, 2026

Copy link
Copy Markdown
Member

Summary

Same root cause as harper-pro#561, filed against this repo since uWebSockets.js (added for #1096) is declared here too:

  • package.json declared uWebSockets.js via the github: shorthand (github:uNetworking/uWebSockets.js#v20.68.0).
  • npm/hosted-git-info resolves that to git+ssh://git@github.com/... in package-lock.json.
  • Our Docker build stage has no SSH credentials for github.com. Since it's an optional dependency, npm ci silently skips the failed clone — no error, no warning, build succeeds without it.
  • Net effect: the shipped image never bundles the native uWebSockets.js addon, so HARPER_UWS_UDS/HARPER_UWS_HTTP are inert even when explicitly set.

An explicit git+https:// spec does not fix this — verified with a clean npm cache that hosted-git-info canonicalizes any github.com git dependency back to git+ssh:// regardless of the requested protocol.

Fix

Point package.json at a plain tarball URL (https://github.com/uNetworking/uWebSockets.js/archive/<sha>.tar.gz) instead of a github: git spec. npm treats this as a remote-tarball dependency, not hosted-git, so the ssh-canonicalization path never runs. resolved stays a plain https URL with a pinned integrity hash — immune to regressing on a future npm install.

Verification

Ran npm ci in a HOME-stripped, credential-less environment (no ~/.ssh, no SSH agent) matching the Docker build stage, both before and after a full npm install regenerates the lockfile from package.json:

  • Before: uWebSockets.js silently absent from node_modules (0 native .node binaries).
  • After: installs cleanly, all 15 platform/ABI native binaries present.

Test plan

  • CI build picks up the change; confirm downstream harper-pro build (once its core submodule is bumped to include this) bundles node_modules/uWebSockets.js/*.node
  • Enable HARPER_UWS_UDS on a dev cluster and confirm the uWS backend actually engages

Same issue as harper-pro#561: the github: shorthand
(github:uNetworking/uWebSockets.js#v20.68.0) gets re-resolved by npm as
git+ssh://github.com/... on any npm install. Our Docker build stage has
no SSH credentials for github.com, so npm silently skips the (optional)
dependency and the shipped image never bundles the native addon —
HARPER_UWS_UDS / HARPER_UWS_HTTP are inert even when set.

An explicit git+https:// spec doesn't fix this either — confirmed with
a clean npm cache that npm/hosted-git-info canonicalizes ANY
github.com git dependency back to git+ssh:// regardless of requested
protocol. Switching to a plain tarball URL
(https://.../archive/<sha>.tar.gz) sidesteps hosted-git-info entirely:
npm treats it as a remote-tarball dependency, resolved stays a plain
https URL with a pinned integrity hash, and it can't regress on a
future npm install.

Verified npm ci installs all 15 native .node binaries in a
HOME-stripped, credential-less environment (matching the Docker build
stage) both before and after a full npm install regenerates the
lockfile from package.json.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the uWebSockets.js optional dependency in package.json to point to a specific tarball archive URL instead of a GitHub tag. The reviewer pointed out that the corresponding npm-shrinkwrap.json or package-lock.json file needs to be updated and committed as well, otherwise CI/CD pipelines using npm ci will continue to use the old resolved URL, rendering this change ineffective.

Comment thread package.json
"bufferutil": "^4.0.9",
"segfault-handler": "^1.3.0",
"uWebSockets.js": "github:uNetworking/uWebSockets.js#v20.68.0",
"uWebSockets.js": "https://github.com/uNetworking/uWebSockets.js/archive/624987739d4da0acb628aaf2a10fc43e7ce27c5c.tar.gz",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The repository tracks npm-shrinkwrap.json (as listed in the files array of package.json). However, the updated npm-shrinkwrap.json (or package-lock.json) is missing from this pull request. Without committing the updated lockfile/shrinkwrap, npm ci in CI/CD pipelines will continue to use the old resolved git URL, making this change ineffective.

@claude

claude Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Reviewed; no blockers found.

@kriszyp kriszyp merged commit 31de6a3 into main Jul 11, 2026
53 of 55 checks passed
@kriszyp kriszyp deleted the kris/fix-uws-lockfile-https branch July 11, 2026 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant