From b1cfe07623e83025d113b3df80e7f971a97c51cb Mon Sep 17 00:00:00 2001 From: Kris Zyp Date: Fri, 10 Jul 2026 15:38:26 -0600 Subject: [PATCH] fix: pin uWebSockets.js via tarball URL, not a github: git spec MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Same issue as harper-pro#561: the github: shorthand (github:uNetworking/uWebSockets.js#v20.68.0) gets re-resolved by npm as git+ssh://github.com/... on any npm install. Our Docker build stage has no SSH credentials for github.com, so npm silently skips the (optional) dependency and the shipped image never bundles the native addon — HARPER_UWS_UDS / HARPER_UWS_HTTP are inert even when set. An explicit git+https:// spec doesn't fix this either — confirmed with a clean npm cache that npm/hosted-git-info canonicalizes ANY github.com git dependency back to git+ssh:// regardless of requested protocol. Switching to a plain tarball URL (https://.../archive/.tar.gz) sidesteps hosted-git-info entirely: npm treats it as a remote-tarball dependency, resolved stays a plain https URL with a pinned integrity hash, and it can't regress on a future npm install. Verified npm ci installs all 15 native .node binaries in a HOME-stripped, credential-less environment (matching the Docker build stage) both before and after a full npm install regenerates the lockfile from package.json. --- package-lock.json | 9 +++++---- package.json | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 922b1696d..d198b654e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "harper", - "version": "5.1.15", + "version": "5.2.0-alpha.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "harper", - "version": "5.1.15", + "version": "5.2.0-alpha.1", "license": "Apache-2.0", "dependencies": { "@aws-sdk/client-s3": "^3.1012.0", @@ -138,7 +138,7 @@ "bufferutil": "^4.0.9", "segfault-handler": "^1.3.0", "utf-8-validate": "^5.0.10", - "uWebSockets.js": "github:uNetworking/uWebSockets.js#v20.68.0" + "uWebSockets.js": "https://github.com/uNetworking/uWebSockets.js/archive/624987739d4da0acb628aaf2a10fc43e7ce27c5c.tar.gz" }, "peerDependencies": { "@aws-sdk/client-bedrock-runtime": "^3.0.0" @@ -14868,7 +14868,8 @@ }, "node_modules/uWebSockets.js": { "version": "20.68.0", - "resolved": "git+ssh://git@github.com/uNetworking/uWebSockets.js.git#624987739d4da0acb628aaf2a10fc43e7ce27c5c", + "resolved": "https://github.com/uNetworking/uWebSockets.js/archive/624987739d4da0acb628aaf2a10fc43e7ce27c5c.tar.gz", + "integrity": "sha512-BcXO02DANWelQzJyMd2G875nBeZDDYHZxqE7uOH9cAsf62Ur3hl5+4crdqBWvFF+DzbUxJoswPqvE3i2aAEZ1g==", "license": "Apache-2.0", "optional": true }, diff --git a/package.json b/package.json index 69988690b..a79751fb9 100644 --- a/package.json +++ b/package.json @@ -253,7 +253,7 @@ "optionalDependencies": { "bufferutil": "^4.0.9", "segfault-handler": "^1.3.0", - "uWebSockets.js": "github:uNetworking/uWebSockets.js#v20.68.0", + "uWebSockets.js": "https://github.com/uNetworking/uWebSockets.js/archive/624987739d4da0acb628aaf2a10fc43e7ce27c5c.tar.gz", "utf-8-validate": "^5.0.10" }, "peerDependencies": {