Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

compare tarball string as well in the generation phase to prevent bad tarball url #2487

Merged
merged 5 commits into from
Dec 12, 2024

Conversation

shokakucarrier
Copy link
Member

No description provided.

@@ -321,7 +321,7 @@ private boolean writePackageMetadata( List<StoreResource> firstLevelFiles, Artif
}

// Generate tarball url if missing
if ( versionMetadata.getDist() == null )
if ( versionMetadata.getDist() == null || !versionMetadata.getDist().getTarball().endsWith(packagePath.getTarPath()) )
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original dist may contain other info that we should keep them as it is, ref: https://github.com/npm/registry/blob/main/docs/responses/package-metadata.md#dist

Or do we need to compare this, can we simply make it in else branch ? to avoid the potential null pointer exception.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have updated it to keep those extra data
And btw do we have linter or formatter?

versionMetadata.setDist( new Dist( tarball ) );
versionMetadata.setDist( new Dist( tarball ) );
} else {
if ( !versionMetadata.getDist().getTarball().endsWith(packagePath.getTarPath()) )
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a potential NULL pointer exception if the getTarball() returning NULL.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought tarball can't be null if dist is not
fixed

} else {
if ( !versionMetadata.getDist().getTarball().endsWith(packagePath.getTarPath()) )
{
versionMetadata.setDist( new Dist( tarball, versionMetadata.getDist().getShasum(), versionMetadata.getDist().getIntegrity(),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a better way to avoid repeating call of versionMetadata.getDist() ? And seems we just need to update tarball, how about adding setter in Dist ?

@sswguo
Copy link
Member

sswguo commented Dec 12, 2024

LGTM.

@shokakucarrier shokakucarrier merged commit 3a614ea into Commonjava:master Dec 12, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants