Example of Package Collision (aka Package Hijacking) behavior with SAT using URLs and forks

The way Nimble reads project info currently is broken. It depends on the iteration order of packages in `~/.nimble/pkgs2`, which include packages from *any* URL.

This should be useful, but unfortunately the package caching and URL handling doesn't account for this. Also, it depends on the Nimble commands used and refactors could changes the behavior of commands as well. 

This issue _can also occur_ even if an upstream dependency uses a URL for `requires "url"`. In that way a bad actor could trick your local Nimble to install their package and modify their project checksum so it'll be loaded first.

This is a concrete example showing what happens based on https://github.com/nim-lang/nimble/issues/1323 

# Stage 1

My project Figuro uses `windy`. We do a `nimble install -d` and get:

```
├── windy @any (@0.0.0) [vcs: 4333b8145 checksum: 2c7e93eba]
```

<img width="808" alt="image" src="https://github.com/user-attachments/assets/34ff1960-3ca4-471d-857e-279b7afe86cf" />

# Step 2

I fork windy and test out a new feature at https://github.com/elcritch/windy#macos-keyinput-fixes.

Running `nimble install -d` works as expected and we get:

```
├── windy #macos-keyinput-fixes (@0.0.0) [vcs: 6da1864c8 checksum: a8227bbbd]
```

<img width="947" alt="image" src="https://github.com/user-attachments/assets/b1e2927e-fc03-49a1-820d-2b50143aa3e5" />

# Step 3

I decide to abandon the feature, or it gets merged upstream but without a new release, etc. Lots of variations can occur. 

We revert `figuro.nimble` back to `requires "windy"`. We expect Nimble would go back to the official Windy package right? 

Nope! Worse is that behavior seems to depend on the _checksum hash_ as that's the order that Nimble will load the package info. In this case it appears to be choosing the _last_ package repo which is my forked package.

It sticks with the forked version even if we do a `nimble install -d` again:

<img width="812" alt="image" src="https://github.com/user-attachments/assets/ee738314-e574-4ea2-822a-8a34cff89237" />

# Bonus Issue - Let the compiler decide which package it uses

Adding this to figuro.nimble like:

```nim
requires "https://github.com/elcritch/windy#macos-keyinput-fixes"
requires "windy"
```

Results in this: 

```
├── windy #macos-keyinput-fixes (@0.0.0) [vcs: 6da1864c8 checksum: a8227bbbd]
├── windy @any (@0.0.0) [vcs: 6da1864c8 checksum: a8227bbbd]
```

Which means on the Nimble commands used, the Nim compiler could get multiple paths for the same package name "windy". I'm not sure what happens then.

<img width="906" alt="image" src="https://github.com/user-attachments/assets/5836b686-5a15-4e20-9c2d-8586803160d5" />





Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Example of Package Collision (aka Package Hijacking) behavior with SAT using URLs and forks #1329

Stage 1

Step 2

Step 3

Bonus Issue - Let the compiler decide which package it uses

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Example of Package Collision (aka Package Hijacking) behavior with SAT using URLs and forks #1329

Description

Stage 1

Step 2

Step 3

Bonus Issue - Let the compiler decide which package it uses

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions