Node Docker image broken (opens in new tab)

(github.com)

51 pointslingz8y ago24 comments

24 comments

Never ever use :latest unless its in your docker-compose DEV file. Try to treat docker images like you would dependencies.

We always lock down to specific versions, but we also use a self hosted docker mirror to cache everything anyway.

moondev8y ago

other labels are mutable too though. That's why this broke for other tags beside latest. Use the hash instead for a hard link, but obviously won't get any security updates.

wereHamster8y ago

You subscribe to notifications about security updates, but never blindly accept them.

urda8y ago

Security updates should be vetted and not auto-accepted.

There's no problem here.

1 more reply

zackify8y ago

This is one of the reasons I never use the latest version of any docker image, so I don’t repeat my constant struggles with npm packages breaking on minor version changes

Edit:

I see they were overwriting current tags.... well that’s even worse

Cthulhu_8y ago

Latest should only be used for hackery / development, but please fix it to a stable version before release.

Overwriting tags should honestly not be possible, ever. Node / NPM did that (I think) with one of their versions too. Or was it a npm package?

allover8y ago

> Overwriting tags should honestly not be possible, ever. Node / NPM did that (I think) with one of their versions too. Or was it a npm package?

npm did away with `publish -f` (which would allow that) 4 years ago [1].

[1] http://blog.npmjs.org/post/77758351673/no-more-npm-publish-f

moondev8y ago

Use the hash instead of the label. Labels being mutable is helpful because you if you want the most current, bugfixed version of node 7.. node:7

AgentME8y ago

NPM doesn't allow version numbers to be re-used for a new release. (The old drama you might be thinking of was that NPM used to allow packages to be unpublished, which affected a lot of people when someone unpublished their popular module. NPM no longer allows releases to be unpublished after 24 hours.)

derefr8y ago

> Overwriting tags should honestly not be possible, ever.

How do you propose to withdraw a release if it’s broken/contains secret keys/etc.? Delete the image itself and leave the tag dangling?

1 more reply

dozzie8y ago

Ah yes, this happens from time to time when you use somebody else's repositories with somebody else's package retention. That's why production should only use repositories that change in ways that are predictable to you (OS upstream, your own, and usually nothing else).

timwis8y ago

huh? so like, don't use open source libraries?

dozzie8y ago

Are you implying that you cannot use others' code unless you download it from random places from the internets? That the others' code is fundamentally different from your code and thus cannot be hosted from your own repository?

jasonlotito8y ago

That's not what the OP is trying to say, though they have a hard time coming out and saying it, and their reply to you doesn't help matters.

Instead, what they are saying is that you should 1) use a specific version, and 2) host that version in a location you control. This way, updates don't impact your build just because you clamp to the latest (which is a moving target). Also, if they happen to rerelease a tag which worked for a previous build you made and now doesn't, you are still pulling in the same thing.

Basically, if you depend on something, host it yourself. Otherwise, you are asking to be bit by this.

1 more reply

blablabla1238y ago

Amen.

pmarreck8y ago

Was this untested or something?

I certainly don't see any unit tests as part of the commit that triggered this issue

(Yes, even, or perhaps especially, command line commands should be tested, somehow.)

tkone8y ago

well i mean it's broken if you use yarn. which isn't a standard part of node, so like, not really?

lainga8y ago

It's not standard, true, but it's also not an experimental feature, so one still wouldn't expect them to do wacky things like overwrite tags. I think many people expect version tagged code to not change, unless the developers specifically say they are nightly/experimental (there is a comment to that effect on the issue link).

jlg238y ago

How comes a 7 hour old, now closed, bug report on some dead simple bridging tech that abuses tags in their SCM is news?

j / k navigate · click thread line to collapse

24 comments

bearjaws8y ago

Never ever use :latest unless its in your docker-compose DEV file. Try to treat docker images like you would dependencies.

We always lock down to specific versions, but we also use a self hosted docker mirror to cache everything anyway.

moondev8y ago

other labels are mutable too though. That's why this broke for other tags beside latest. Use the hash instead for a hard link, but obviously won't get any security updates.

wereHamster8y ago

You subscribe to notifications about security updates, but never blindly accept them.

urda8y ago

Security updates should be vetted and not auto-accepted.

There's no problem here.

1 more reply

zackify8y ago

This is one of the reasons I never use the latest version of any docker image, so I don’t repeat my constant struggles with npm packages breaking on minor version changes

Edit:

I see they were overwriting current tags.... well that’s even worse

Cthulhu_8y ago

Latest should only be used for hackery / development, but please fix it to a stable version before release.

Overwriting tags should honestly not be possible, ever. Node / NPM did that (I think) with one of their versions too. Or was it a npm package?

allover8y ago

> Overwriting tags should honestly not be possible, ever. Node / NPM did that (I think) with one of their versions too. Or was it a npm package?

npm did away with `publish -f` (which would allow that) 4 years ago [1].

[1] http://blog.npmjs.org/post/77758351673/no-more-npm-publish-f

moondev8y ago

Use the hash instead of the label. Labels being mutable is helpful because you if you want the most current, bugfixed version of node 7.. node:7

AgentME8y ago

derefr8y ago

> Overwriting tags should honestly not be possible, ever.

How do you propose to withdraw a release if it’s broken/contains secret keys/etc.? Delete the image itself and leave the tag dangling?

1 more reply

dozzie8y ago

timwis8y ago

huh? so like, don't use open source libraries?

dozzie8y ago

jasonlotito8y ago

That's not what the OP is trying to say, though they have a hard time coming out and saying it, and their reply to you doesn't help matters.

Basically, if you depend on something, host it yourself. Otherwise, you are asking to be bit by this.

1 more reply

blablabla1238y ago

Amen.

pmarreck8y ago

Was this untested or something?

I certainly don't see any unit tests as part of the commit that triggered this issue

(Yes, even, or perhaps especially, command line commands should be tested, somehow.)

tkone8y ago

well i mean it's broken if you use yarn. which isn't a standard part of node, so like, not really?

lainga8y ago

jlg238y ago

How comes a 7 hour old, now closed, bug report on some dead simple bridging tech that abuses tags in their SCM is news?

j / k navigate · click thread line to collapse