GNU bug report logs -
#78542
[Security] hash locking needed for tree-sitter downloads
Previous Next
Reported by: Daniel Colascione <dancol <at> dancol.org>
Date: Wed, 21 May 2025 19:13:04 UTC
Severity: normal
Fixed in version 31.0.50
Done: Juri Linkov <juri <at> linkov.net>
Bug is archived. No further changes may be made.
Full log
Message #46 received at 78542 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Jun 8, 2025, at 10:45 AM, Juri Linkov <juri <at> linkov.net> wrote:
> Here is the current state:
>
> 3. (treesit--install-language-grammar-1
> (locate-user-emacs-file "tree-sitter") 'json
> "https://github.com/tree-sitter/tree-sitter-json"
> "4d770d3")
>
> fails to check out "4d770d3" with the error:
>
> git clone https://github.com/tree-sitter/tree-sitter-json --quiet --depth 1 -b 4d770d3
> warning: Could not find remote branch 4d770d3 to clone
> fatal: Remote branch 4d770d3 not found in upstream origin
I’m a bit late to the party, here, but would it make sense to have, say:
(treesit--install-language-grammar-1
(locate-user-emacs-file "tree-sitter") 'json
"https://github.com/tree-sitter/tree-sitter-json"
:tag "v0.24.8"
:commit "4d770d31f732d50d3ec373865822fbe659e47c75")
We could then:
git clone https://github.com/tree-sitter/tree-sitter-json --quiet --depth 1 -b v0.24.8
git checkout 4d770d31f732d50d3ec373865822fbe659e47c75
Additionally, I think including the tag helps to clarify the intention to anyone reading the code, without them having to go away and refer to the repository to find out about that commit.
--
Peter Oliver
This bug report was last modified 23 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.