Bug 293543 - www/py-yt-dlp-ejs: SHA256 Checksum mismatch for yt-dlp-ejs/yt-dlp-ejs-node-modules-0.5.0.tar.gz.
Summary: www/py-yt-dlp-ejs: SHA256 Checksum mismatch for yt-dlp-ejs/yt-dlp-ejs-node-mo...
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Yuri Victorovich
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2026-03-02 13:21 UTC by Ale
Modified: 2026-03-04 03:56 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (yuri)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ale 2026-03-02 13:21:39 UTC 
$ sudo make checksum -C /usr/ports/www/py-yt-dlp-ejs/
===>  License UNLICENSE accepted by the user
===>   py311-yt-dlp-ejs-0.5.0 depends on file: /usr/local/sbin/pkg - found
===>   py311-yt-dlp-ejs-0.5.0 depends on executable: npm - found
===> Fetching all distfiles required by py311-yt-dlp-ejs-0.5.0 for building
=> SHA256 Checksum OK for yt-dlp-ejs/yt_dlp_ejs-0.5.0.tar.gz.
=> SHA256 Checksum mismatch for yt-dlp-ejs/yt-dlp-ejs-node-modules-0.5.0.tar.gz.
===>  Refetch for 1 more times files:  yt-dlp-ejs/yt-dlp-ejs-node-modules-0.5.0.tar.gz 
===>  License UNLICENSE accepted by the user
===>   py311-yt-dlp-ejs-0.5.0 depends on file: /usr/local/sbin/pkg - found
===>   py311-yt-dlp-ejs-0.5.0 depends on executable: npm - found
====> Fetching yt_dlp_ejs-0.5.0.tar.gz
====> Fetching and packaging node_modules
npm warn Unknown global config "python". This will stop working in the next major version of npm.

added 188 packages, and audited 189 packages in 6s

47 packages are looking for funding
  run `npm fund` for details

6 vulnerabilities (2 moderate, 4 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
npm notice
npm notice New minor version of npm available! 11.10.0 -> 11.11.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v11.11.0
npm notice To update run: npm install -g npm@11.11.0
npm notice
===> Fetching all distfiles required by py311-yt-dlp-ejs-0.5.0 for building
===>  License UNLICENSE accepted by the user
===>   py311-yt-dlp-ejs-0.5.0 depends on file: /usr/local/sbin/pkg - found
===>   py311-yt-dlp-ejs-0.5.0 depends on executable: npm - found
===> Fetching all distfiles required by py311-yt-dlp-ejs-0.5.0 for building
=> SHA256 Checksum OK for yt-dlp-ejs/yt_dlp_ejs-0.5.0.tar.gz.
=> SHA256 Checksum mismatch for yt-dlp-ejs/yt-dlp-ejs-node-modules-0.5.0.tar.gz.
===>  Giving up on fetching files:  yt-dlp-ejs/yt-dlp-ejs-node-modules-0.5.0.tar.gz 
Make sure the Makefile and distinfo file (/usr/ports/www/py-yt-dlp-ejs/distinfo)
are up to date.  If you are absolutely sure you want to override this
check, type "make NO_CHECKSUM=yes [other args]".
*** Error code 1

Stop.
make[1]: stopped making "checksum" in /usr/ports/www/py-yt-dlp-ejs
*** Error code 1

Stop.
make: stopped making "checksum" in /usr/ports/www/py-yt-dlp-ejs/
Comment 1 Yuri Victorovich freebsd_committer freebsd_triage 2026-03-02 22:56:16 UTC 
This is already fixed.
Thanks for your report!
Comment 2 Alastair Hogge 2026-03-03 07:30:45 UTC 
(In reply to Yuri Victorovich from comment #1)
What do you mean fixed? The Port is now marked as broken/ignore[1]:

> You cannot repack your distfile in do-fetch.
>
> If you need to extract things and move things around, do it in
> post-extract.
>
> With hat:	portmgr

Gosh, the do-fetch Makefile target is a mess of Makefile Black Magic, and fragile POSIX incantations, and why does the Port use Node, is Deno currently insufficient to replace the calls to npm?

1:  https://cgit.freebsd.org/ports/commit/?id=073694902a75bc96e8342c6a07ad397edf994239
Comment 3 Yuri Victorovich freebsd_committer freebsd_triage 2026-03-03 08:52:19 UTC 
(In reply to Alastair Hogge from comment #2)

> ... why does the Port use Node, is Deno currently insufficient ...

I am not sure whether Deno is able to fetch dependencies.
Even if it is able to, is there a benefit in this?

> The Port is now marked as broken/ignore[1]

I questioned that.

> do-fetch Makefile target is a mess of Makefile Black Magic

It fetches the tarball, extracts it, then fetches more into it, then packages it again, while potentially regenerating package-lock.json

All this requires shell and makefile magic.
Comment 4 Alastair Hogge 2026-03-03 10:42:03 UTC 
(In reply to Yuri Victorovich from comment #3)

> I am not sure whether Deno is able to fetch dependencies.

I am not sure on Deno's capacities either (I think it does support fetching from npm suppositories (yes intended)). 

> Even if it is able to, is there a benefit in this?

I started working on this Port, to move from npm to Deno, because it might reduce a dependency, Node, and restore a functioning yt-dlp for my hosts. I am probably way off, but my suspicion was that, Deno is designed with some degree, to be a near-drop-in replacement for npm; it is missing a "bundle" sub-command tho.

If there is no runtime dependency on npm, I might continue massaging the Port to drop it in favor of Deno. 

> It fetches the tarball, extracts it, then fetches more into it, then packages it again, while potentially regenerating package-lock.json

Thanks for clearing that up.
Comment 5 Vladimir Druzenko freebsd_committer freebsd_triage 2026-03-03 13:48:07 UTC 
> It fetches the tarball, extracts it, then fetches more into it,
> then packages it again, while potentially regenerating package-lock.json
Why not create tarball and host it at LOCAL/*?
FETCH_DEPENDS node is overkill, IMHO.
Comment 6 Yuri Victorovich freebsd_committer freebsd_triage 2026-03-04 03:55:53 UTC 
(In reply to Vladimir Druzenko from comment #5)

Because the way how it is now is easiest to update.
Comment 7 Yuri Victorovich freebsd_committer freebsd_triage 2026-03-04 03:56:30 UTC 
(In reply to Vladimir Druzenko from comment #5)

There are really no problems with how this port is now.