This Issue is not a problem. So, I deleted Issue Template. It's an idea.

Scratch lastest version is 3. But it still doesn't work with git.
I thought that there is a way to make workable with git.
It's ... Make Scratch program data not binary.
I have opened .sb3 before, it was filled with .png,.wav,svg,json file.
File of png and wav are binary, but we can trans text file.
png-->svg
wav-->I don't know. But, Sound Programming file is good for this. Pitch of sound, time, etc are written in json. I'm sorry for I don't know audio file well.

If scratch works with git, children all over the world can learn git.
And, it's not binary and some server library is made, we can use scratch like js, ruby. Scratch will be not the only GUI.

I wonder if you think, it's happy. (I want to tell thank you before that, you read this)

The asset server is configured to return a JSON body along with a 403, but this line of code is ignoring the fact that you can get both a response AND not be successful https://github.com/LLK/scratch-storage/blob/develop/src/FetchTool.js#L45

We should be rejecting that promise chain on 403s, but because of the way the fetch tool returns just the text response and not the status, and does not reject the response itself, there is no way for the promise chain to fail.

/cc @cwillisf @BryceLTaylor @kchadha this is the reason that you do not get the "project failed to save" when you get authentication gets bumped by signing in to another computer. You can clearly see the 403s when you try to save, but they are being swallowed, and since nothing actually uses the response body we aren't catching the error elsewhere.

There was a recent security warning that warned against calling property functions on your own objects that you assume have been inherited from Object.prototype. E.g., don't do obj1.hasOwnProperty(propName).

Instead, you can call the original function, e.g. Object.prototype.hasOwnProperty.call(obj1, propName).

Expected Behavior

Loading static assets should leave the console quiet.

Actual Behavior

When you load a static asset, for example https://llk.github.io/scratch-gui/develop/static/extension-assets/scratch3_music/instruments/1-piano/36.mp3, it works, but you also get a 404 error because storage first looks for it on the assets server:

Failed to load https://cdn.assets.scratch.mit.edu/internalapi/asset/instruments/1-piano/36.mp3/get/: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://llk.github.io' is therefore not allowed access. The response had HTTP status code 404.

Steps to Reproduce

Load the music extension and check the console.

The devDependency semantic-release was updated from 15.13.11 to 15.13.12.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

semantic-release is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

The devDependency webpack was updated from 4.30.0 to 4.31.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

webpack is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

AssetType.js lists supported file types, but does not include mp3. It should, right? How and where and why does this matter?

@picklesrus discovered in the bug hunt that Scratch is issuing puts to update assets on the asset server when it should be using Posts.

We shouldn't ever try to update the md5 hash because they are unique and changing the image should have a new md5 hash.

The server doesn't accept puts, anyway and was sending back 405 errors while saving assets.

This came from testing scratchfoundation/scratch-gui#4726, which we reverted on develop.

Expected Behavior

There should be a straightforward way to create a new empty Asset object, or to create a new Asset with externally-defined contents, without relying on an environment-specific data type.

Actual Behavior

Doing so currently requires creating a Buffer, which is a Node.js-only type. This means there's no good way to create or fill an Asset in environment-neutral code.

Steps to Reproduce

See scratchfoundation/scratch-vm#915

I have no idea for a better place for this issue, but there it is.

One of my project got most of its assets deleted / replaced for no reason. I didn't even went on the project for days, didn't edit it either.

The project ID is 138198909.

The manifest still shows the correct asset hashes for some images, but for the others (most of them), when loaded, the default "asset not found / question mark on grey background" shows up.

You can see must of the ID's got replaced with 8e768a5a5a01891b05c01c9ca15eb6aa (costumes 1 to 6, zero is still as it was before)
https://assets.scratch.mit.edu/internalapi/asset/8e768a5a5a01891b05c01c9ca15eb6aa.svg/get/

It wasn't the case a few days ago tho.

Expected Behavior

Deprecated APIs should not be used.

Actual Behavior

The file BuiltinHelper.js calls new Buffer(...) as part of establishing its default assets. This call has been deprecated since Node 6.0.0 and in some contexts causes a message similar to this:

[DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.

Although in this case the actual code is not a security concern, I still think this should get a relatively high priority. This is because the message can sometimes be seen by the user (for example, if scratch-desktop is started from a terminal) and warns about security, which could worry users.

crypto is a node built-in module that does not work on the browser (it uses Buffer objects, but only typed arrays are available in the browser, and they are not equivalent).

We need a module that works on the browser also for computing md5s

Also faced difficulties with saving projects to my self-hosted backend with API and authentication.

Installed scratch-blocks, scratch-vm, scratch-storage separately (git clone), link them with scratch-gui.

What to do next? In the end, I want to get a working "Save now" button sending a request to my backend.

I am using the scratch 3.x desktop version. One thing bothering me is that the application does not have an auto-save function.
My child often forgot to save its project modification. What's more, the saving function always ask for a new storage path, which
is unnecssarily, this should be the behavior of "save as.." function.

got is a wrapper for node's http library. It currently does not work at all in an environment of an iOS webview, and the newest version seems to not work in browsers/webpack at all.

I suggest replacing it with something else. In our fork, I have replaced it with whatwg-fetch with great success, except the fact that tests fail, since it's a polyfill for browsers (isomorphic-fetch is outdated and doesn't allow for the same API across node/browser).

If you want, I can submit a PR with my changes.

On projects.scratch.mit.edu/xxxxxxxx/, at the end of a JSON, you can see one's useragent string, which I believe is an unnecessary invasion of Scratchers' privacy.
My suggestion is to make future projects' JSON not include one's full useragent string.

Note: The project ID was intentionally censored to protect Scratcher privacy.

Another note: If this is not possible for any reason, feel free to reject or only partially implement my suggestion.

Yet another note (sorry if this is annoying): The reason why I never post on the fourms is because I am not allowed to. Please don't ask about this one.

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Pending Status Checks

These updates await pending status checks. To force their creation now, click the checkbox below.

• chore(deps): update babel monorepo to v7.24.6 (@babel/core, @babel/plugin-transform-runtime, @babel/preset-env)

Other Branches

These updates are pending. To force PRs open, click the checkbox below.

• fix(deps): lock file maintenance

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update dependency json to v10 [security]
• chore(deps): replace dependency babel-eslint with @babel/eslint-parser 7.11.0
• chore(deps): update actions/checkout digest to a5ac7e5
• chore(deps): update wagoid/commitlint-github-action digest to 9763196
• fix(deps): update dependency js-md5 to ^0.8.0
• chore(deps): update actions/setup-node action to v4
• chore(deps): update commitlint monorepo to v19 (major) (@commitlint/cli, @commitlint/config-conventional, @commitlint/travis-cli)
• chore(deps): update dependency babel-loader to v9
• chore(deps): update dependency eslint to v9
• chore(deps): update dependency eslint-plugin-jest to v28
• chore(deps): update dependency file-loader to v6
• chore(deps): update dependency husky to v9
• chore(deps): update dependency node to v18
• chore(deps): update dependency node to v20
• chore(deps): update dependency semantic-release to v23
• chore(deps): update dependency webpack to v5
• chore(deps): update dependency webpack-cli to v5
• chore(deps): update wagoid/commitlint-github-action action to v6
• fix(deps): update dependency cross-fetch to v4
• fix(deps): update dependency worker-loader to v3
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Expected Behavior

If an asset request returns a 404 response the WebLoader should skip that source and try the next.

Actual Behavior

The 404 response body is returned.

Steps to Reproduce

class Storage extends ScratchStorage {
    constructor () {
        super();
        this.addWebSource(
            [this.AssetType.Project],
            asset => `https://example.com/${asset.assetId}`
        );
    }
}

const storage = new Storage();
storage.load(storage.AssetType.Project, "x", storage.DataFormat.JSON)
    .then(project => console.log("I did load this:", project))
    .catch(e => console.error("Loading failed"));

I'll try to submit a PR for this.

At the bottom of WebHelper:store(), the body parameter appears to be a JSON string, not a JSON object:

Object.assign does currently convert the string to an object, but it does it character by character:

The code here that was setting the id does succeed in doing that -- as long as the assetId is already set:

(If it's an integer value, setting it succeeds:)

(...but if we're relying on the number being extracted from body, that doesn't work:)

So it seems what we really need to do is to JSON.parse the body -- at least before we try to access its content-name property.

Existing behavior:
PUT (updating project with id) response:

POST (creating new project) response:

Behavior should be:
PUT (updating project with id) response:

POST (creating new project) response:

Projects have never been saved using scratch-storage (it is done inside scratch-www & scratch-gui). They are loaded using scratch-storage, though.

It should be removed to reduce dead code. This also makes Asset immutable, and ensures all assets have MD5 id.

Expected Behavior

scratch-storage should be able to load JPG and GIF costumes, as present in the Scratch 2.0 costume library.

Actual Behavior

scratch-storage assumes all bitmap costumes are PNGs, so it tries to load JPG and GIF costumes with the wrong exception. This results in a 404 and a failure to load the costume.

Steps to Reproduce

1. Open your browser's network tab
2. Load project 152639677 in a version of scratch-vm or scratch-gui which uses scratch-storage
3. Look for a 404 on this address: https://cdn.assets.scratch.mit.edu/internalapi/asset/4f234884958b11023d44abc010ad50ec.png/get/

Currently, encodeDataUri uses the wave header, even for mp3 sounds. It should not. When this is fixed, there will also need to be a patch to scratch-gui/src/lib/backpack/sound-payload.js.

I'm running into a problem where all the dependencies are already inlined when importing scratch-storage into a project. For got this leads to a build that has unzipResponse inlined, even though it's not supported in the browser.

I think the problem is that got is getting inlined as a "devDependency" for the Node.js target. When the built scratch-storage npm package is run in the browser, got is hitting a codepath that isn't supported for web.

Expected Behavior

Loading a SVG from a server with gzip compression enabled shouldn't throw an error.

Actual Behavior

I get an exception: Uncaught TypeError: Cannot read property 'bind' of undefined and the asset fails to load.

Steps to Reproduce

Sample code:

import Storage from 'scratch-storage';

const storage = new Storage();
const assetType = storage.AssetType.ImageVector;
storage.addWebSource([assetType], asset => `/s/${asset.assetId}.${asset.dataFormat}`);
storage.load(assetType, '09dc888b0b7df19f70d81588ae73420e').then(/* ... */);

I'm seeing this fail in the browser when /s/09dc888b0b7df19f70d81588ae73420e.svg is returned with Content-Encoding: gzip.

Operating System and Browser

Mac OS 10.12.5
Chrome 60.0.3112.90

I try to follow doc on
https://github.com/LLK/scratch-storage

After Installation session
npm install https://github.com/LLK/scratch-storage.git

it is
Using scratch-storage
From HTML

How to apply save function to scratch? How they get to know each other?

May I ask where shoud I put those code to? Is there more detailed docs that I can refer to?

Thanks

since we moved from travis-ci.org to travis-ci.com, scratch-storage has not been deploying to npm. The problem is that the travis-after-all library assumes travis-ci.org.

We should stop using the deprecated travis-after-all library, and update our .travis.yml file to use a deploy section rather than an after_script section.

During the Bug Hunt today we decided to remove this pr scratchfoundation/scratch-gui#4644 since it seems to be making the experience worse on lower end devices, such as the Raspberry Pi and a slower Windows machine.

According to @thisandagain the libraries were loading more slowly but the libraries seemed "locked up"

He says: "It was a little hard to describe. They would load more slowly, but I could tell that loading the libraries was locking up the RPi less (less CPU and/or memory pressure)."

One can replicate the experience by opening the network tab of the console, choosing a slower connection and turning off caching. Then load the libraries.

The devDependency webpack was updated from 4.35.3 to 4.36.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

webpack is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

According to #100, the server may raise 403. However, there is no documentation about what errors they can raise.

• For example, currently large sounds raise 503. However, it should raise 413, or at least 400 with some custom results.
• Does it raise 401 for invalid session?
• Same for 415 (for invalid asset)

When remixing or creating a project as a copy, we use query strings to modify the URL, e.g. /?is_copy=1&title=My Project Title. Since we only rely on storage looking up the right handler based on the asset id, we don't have a way to dynamically set parameters for a particular store().

We need to do some thinking on the design of store since it now doesn't work ideally for either of the servers we're using it for. Our config for assets hack around the current design, which was created around project creation: https://github.com/LLK/scratch-gui/blob/develop/src/lib/storage.js#L24-L28, and we aren't using it at all for project creation anymore because of this URL issue.

Expected Behavior

Loading into the desktop app a project which refers to a missing costume should cause that costume to appear as a placeholder image, just like it does on the Scratch website.

Actual Behavior

Loading into the desktop app a project which refers to a missing costume causes an error message and prevents the project from loading at all.

Note that this means a single missing costume will prevent using the desktop app to recover any other data from a project -- even intact sprites, costumes, or sounds.

Steps to Reproduce

1. Open the standalone Scratch app on a Mac or Windows computer
2. Load a project which refers to a missing costume

Example project: Missing Blue Guy (broken).sb3.zip

Screenshots

When this happens, the developer console looks like this:

Expected Behavior

Please describe what should happen
Using storage in an environment with localStorage unavailable should not cause an error

Actual Behavior

Describe what actually happens
While using storage in a packaged Chrome extension, you get a warning:

window.localStorage is not available in packaged apps. Use chrome.storage.local instead.

Steps to Reproduce

Explain what someone needs to do in order to see what's described in Actual behavior above
Use storage in a packaged Chrome extension.

Currently this is emitting an unnecessary warning when storage is used in a Chrome extension, so this can be a quick fix for now.

The ProxyTool#store method should only try one of the registered tools if it gets a non-200 response from the server. The cascade should only be used if there is an error thrown related to creating the request, not from server errors.

This is causing multiple failing requests to be issued when storing an asset, even when the asset is rejected from the server (e.g. 400, 413, 403).

/cc @cwillisf