Dependency mismatch between spec and multihash, no error raised

[karalabe]

Version information:

Source code, latest master

Type:

Package manager bug

Description:

Your packages.json contains a reference to whyrusleeping/lock. That reference is apparently wrong, as the QmVUAoR89E6KDBJmsfRVkAoBMEfgVfy8rRmvzf4y9rWp1d multihash contains go4-lock, not lock.

Fixing it is ofcourse easy:

diff --git a/package.json b/package.json
index 8fc8a7813..cac3f3904 100644
--- a/package.json
+++ b/package.json
@@ -149,7 +149,7 @@
     {
       "author": "whyrusleeping",
       "hash": "QmVUAoR89E6KDBJmsfRVkAoBMEfgVfy8rRmvzf4y9rWp1d",
-      "name": "lock",
+      "name": "go4-lock",
       "version": "0.0.2"
     },
     {

The interesting question though is why doesn't gx catch this, seems like a very nasty error that your dependency contains something else than defined and you actually accept it and build the code without raising a warning/error.

[djdv]

For reference, the source for that dependency comes from our local fork: https://github.com/gxed/go4-lock/
(which just removes the canonical import path)

The package itself is still named "lock", but it's located under the directory "QmVUAoR89E6KDBJmsfRVkAoBMEfgVfy8rRmvzf4y9rWp1d/go4-lock".

I believe the package.json name is used when specifying the namespace for the package
import lock "gx/ipfs/QmVUAoR89E6KDBJmsfRVkAoBMEfgVfy8rRmvzf4y9rWp1d/go4-lock"

I defer to @whyrusleeping for more information though.
Also, the "authors" field should probably be changed to "The Go4 authors".

---

More importantly, this dependency should have been removed with
#4631
as we don't use it directly anymore.

[jacobheun]

We're no longer using gx so this should no longer be an issue