GNU bug report logs -
#78542
[Security] hash locking needed for tree-sitter downloads
Previous Next
Reported by: Daniel Colascione <dancol <at> dancol.org>
Date: Wed, 21 May 2025 19:13:04 UTC
Severity: normal
Fixed in version 31.0.50
Done: Juri Linkov <juri <at> linkov.net>
Bug is archived. No further changes may be made.
Full log
Message #64 received at 78542 <at> debbugs.gnu.org (full text, mbox):
>> 3. (treesit--install-language-grammar-1
>> (locate-user-emacs-file "tree-sitter") 'json
>> "https://github.com/tree-sitter/tree-sitter-json"
>> "4d770d3")
>>
>> fails to check out "4d770d3" with the error:
>>
>> git clone https://github.com/tree-sitter/tree-sitter-json --quiet --depth 1 -b 4d770d3
>> warning: Could not find remote branch 4d770d3 to clone
>> fatal: Remote branch 4d770d3 not found in upstream origin
>
> I’m a bit late to the party, here, but would it make sense to have, say:
>
> (treesit--install-language-grammar-1
> (locate-user-emacs-file "tree-sitter") 'json
> "https://github.com/tree-sitter/tree-sitter-json"
> :tag "v0.24.8"
> :commit "4d770d31f732d50d3ec373865822fbe659e47c75")
>
> We could then:
>
> git clone https://github.com/tree-sitter/tree-sitter-json --quiet --depth 1 -b v0.24.8
> git checkout 4d770d31f732d50d3ec373865822fbe659e47c75
This fails with
fatal: reference is not a tree: 4d770d31f732d50d3ec373865822fbe659e47c75
because the required commit is later than the tag.
This is indicated in the comments section of json-ts-mode.el:
;; - tree-sitter-json: v0.24.8-1-g4d770d3
> Additionally, I think including the tag helps to clarify the intention
> to anyone reading the code, without them having to go away and refer
> to the repository to find out about that commit.
Anyone reading the code could look into the comments section where tags
are generated by treesit-admin using 'treesit--language-git-revision'.
This bug report was last modified 24 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.