errors in autopatch_mix when package not in Hex

[artman41]

When autopatching a mix.exs file. the below case statement can fail if the Hex repo used does not contain the version of the package being checked.

erlang.mk/core/elixir.mk

Lines 37 to 48 in 973ccc3

	case hex_repo:get_package(Config, atom_to_binary(Name)) of
	{ok, {200, _RespHeaders, Package}} ->
	#{releases := List} = Package,
	{value, #{version := Version}} = lists:search(fun(#{version := Vsn}) ->
	M = list_to_atom("Elixir.Version"),
	F = list_to_atom("match?"),
	M:F(Vsn, Req)
	end, List),
	{ok, Version};
	{ok, {Status, _, Errors}} ->
	{error, Status, Errors}
	end

This can happen in an environment where access to hex.lb.local is restricted and dependencies are being pulled from git instead.

This results in {error,unverified} being returned by hex_repo:get_package/2

This should likely be handled as an actual failure but can be a valid expectation like the situation above

Could it be worth checking the fetch method of the dependency and ignoring the error if it's not from hex?

[artman41]

Another situation is when the hex repo does not contain the package at all, in which case the following is returned

The below is an example return from websock being fetched via git

{error,404,
                                                                                                                 <<"<HTML>\n       <HEAD>\n           <TITLE>Object Not Found</TITLE>\n      </HEAD>\n      <BODY>\n      <H1>Object Not Found</H1>\nThe requested URL &#47;packages&#47;websock was not found on this server.\n</BODY>\n      </HTML>\n">>}

[essen]

Is the issue just that there's a crash instead of a nicer error?

This can happen in an environment where access to hex.lb.local is restricted and dependencies are being pulled from git instead.

I don't understand what this means. If you fetch a dependency from git but its mix.exs points to Hex packages, and access to Hex is restricted, what should happen?

[artman41]

Is the issue just that there's a crash instead of a nicer error?

This can happen in an environment where access to hex.lb.local is restricted and dependencies are being pulled from git instead.

I don't understand what this means. If you fetch a dependency from git but its mix.exs points to Hex packages, and access to Hex is restricted, what should happen?

The main issue I'd say is that there's a crash rather than informing the user of the issue

Ref the second point:

The mix autopatching tries to verify the version of the package against Hex - I believe we did this to resolve the ~> syntax to an actual version that can be used when writing the Makefile

erlang.mk/core/elixir.mk

Lines 105 to 108 in 973ccc3

	({Name, Req}) when is_binary(Req) ->
	{ok, Vsn} = HexVersionResolve(Name, Req),
	Write(["DEPS += ", atom_to_list(Name), "\n"]),
	Write(["dep_", atom_to_list(Name), " = hex ", Vsn, " ", atom_to_list(Name), "\n"]);

In a restricted environment where deps are pulled via git however, this fails

The only thing I can think is that an additional case is added for when the dep is fetched via git and hex can't be accessed to mirror the dep entry

i.e.

Write(["dep_$(1) = $(dep_$(1))", "\n"]);