2024-07-09: Package Manifest is not coherent errors
Customer Impact
Support has received at least 5 tickets reporting Package Manifest is not coherent
errors when uploading packages.
Based on estimates from error logs, ~9% of npm uploads were impacted.
Current Status
Incident is resolved by 4 MRs deployed on production (last status update):
- Fix publishing npm package with custom root fol... (gitlab-org/gitlab!155842 - merged)
- Parse the package.json file entirely for NPM up... (gitlab-org/gitlab!158978 - merged)
- Relax the version comparison for NPM uploads (gitlab-org/gitlab!159327 - merged)
- Exclude scripts from coherence check when publi... (gitlab-org/gitlab!159427 - merged)
Post-Resolution Status
The root cause (details below) of Package Manifest is not coherent
errors was determined to be part of a security patch for the npm registry, https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4047+. When the cause of the incident was determined, the security release process was already underway. To open the MRs which would fix the errors, engineers first needed to wait for the security patch to be released to gitlab.com. When the fix MRs were deployed, an additional source of the errors was determined to be caused by npm publish
auto corrections. The workaround for the remaining errors in this case is to run an npm pkg fix
script and publish again. When the incident was resolved ~4.9% of npm uploads were receiving this error.
As a follow-up action, the Package team has scheduled an issue to improve error messages in the UI when npm runs auto-correct on packages that fail its coherence checks. Improved error message for npm packages that we... (gitlab-org/gitlab#472080 - closed)
Slack thread for additional context
It seems to have been introduced in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/15584
More information will be added as we investigate the issue. For customers believed to be affected by this incident, please subscribe to this issue or monitor our status page for further updates.
📚 References and helpful links
Recent Events (available internally only):
- Feature Flag Log - Chatops to toggle Feature Flags Documentation
- Infrastructure Configurations
- GCP Events (e.g. host failure)
Deployment Guidance
- Deployments Log | Gitlab.com Latest Updates
- Reach out to Release Managers for S1/S2 incidents to discuss Rollbacks, Hot Patching or speeding up deployments. | Rollback Runbook | Hot Patch Runbook
Use the following links to create related issues to this incident if additional work needs to be completed after it is resolved:
- Corrective action ❙ Infradev
- Incident Review ❙ Infra investigation followup
- Confidential Support contact ❙ QA investigation
Note: In some cases we need to redact information from public view. We only do this in a limited number of documented cases. This might include the summary, timeline or any other bits of information, laid out in our handbook page. Any of this confidential data will be in a linked issue, only visible internally. By default, all information we can share, will be public, in accordance to our transparency value.
Security Note: If anything abnormal is found during the course of your investigation, please do not hesitate to contact security.