Hello,

I use yocto version 3.0.3 (zeus) and tried to install some node packages as described in the yocto manual [1].
I experienced that manipulating a sha512 checksum in a package-lock.json file does not affect the installation even though the purpose (or at least one of the purposes) of the lockdown file is to enable the validation of the checksums if I understand correctly.


This can be reproduced by installing node-red 1.0.2 using the recipe, shrinkwrap.json and package-lock.json files provided in the zeus branch of meta-iot-cloud [2], which is listed on openembedded.org [3]. Just replace some characters in any of the sha256 sums inside the package-lock.json and see that it does not affect the bitbake process.

I think the error is somewhere in the script poky/bitbake/lib/bb/fetch2/npm.py.
The function ‘download’ loads the lockdown file using json.load. The resulting dictionary is passed into the function ‘_getshrinkeddependencies’ and that function is supposed to check the checksum. The first thing that I arises my attention is that the source code in ‘_getshrinkeddependencies’ seems to only be able to calculate sha1 sums, but I find also sha512 in e.g. the package-lock.json mentioned above. The second thing that I think is very interesting, is that the condition ‘pkg in lockdown’ always returns False, no matter if the package seems to be present in the lockdown file or not.

[1] yocto manual: https:/www.yoctoproject.org/docs/3.0.3/mega-manual/mega-manual.html#creating-node-package-manager-npm-packages

[2] node red recipe: https://github.com/intel-iot-devkit/meta-iot-cloud/tree/zeus/recipes-node-red/node-red

[3] openembbed.org (noe-red recipe): https://layers.openembedded.org/layerindex/recipe/67980/

I think this is a bug. If it is not, I would really appreciate if someone could help me understand the npm fetcher.

Regards,
Anthony Zimmermann