Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make npm package reproducible? #1477

Open
fasterthanlime opened this issue Oct 23, 2024 · 0 comments
Open

Make npm package reproducible? #1477

fasterthanlime opened this issue Oct 23, 2024 · 0 comments

Comments

@fasterthanlime
Copy link
Contributor

While working on #1321 / #1465, I ran into test failures which made me notice the npm-package.tar.gz has a different checksum from one run to the next.

I was tasked by @mistydemeo to make the failure go away to land #1465, and by @ashleygwilliams do investigate why the darn thing wasn't stable to begin with. I'm happy to report the content is stable but things that vary between different runs at different dates / on different platforms are:

  • File timestamps
  • GID/UID (group/user ID)
  • Order of entries in the archive
diff --git a/linux_contents.txt b/mac_contents.txt
index 2a217a5..b9d8c3e 100644
--- a/linux_contents.txt
+++ b/mac_contents.txt
@@ -1,12 +1,12 @@
-drwxr-xr-x  0 1000   1000        0 Oct 23 15:48 package/
--rw-r--r--  0 1000   1000      538 Oct 23 15:48 package/README.md
--rw-r--r--  0 1000   1000    25504 Oct 23 15:48 package/npm-shrinkwrap.json
--rw-r--r--  0 1000   1000       78 Oct 23 15:48 package/install.js
--rw-r--r--  0 1000   1000       15 Oct 23 15:48 package/.gitignore
--rw-r--r--  0 1000   1000      794 Oct 23 15:48 package/CHANGELOG.md
--rw-r--r--  0 1000   1000     1066 Oct 23 15:48 package/LICENSE-MIT
--rw-r--r--  0 1000   1000    10845 Oct 23 15:48 package/LICENSE-APACHE
--rw-r--r--  0 1000   1000     3411 Oct 23 15:48 package/binary.js
--rw-r--r--  0 1000   1000     2216 Oct 23 15:48 package/package.json
--rw-r--r--  0 1000   1000       77 Oct 23 15:48 package/run-axolotlsay.js
--rw-r--r--  0 1000   1000     5727 Oct 23 15:48 package/binary-install.js
+drwxr-xr-x  0 501    20          0 Oct 23 15:55 package/
+-rw-r--r--  0 501    20       1066 Oct 22 23:37 package/LICENSE-MIT
+-rw-r--r--  0 501    20         77 Oct 23 15:55 package/run-axolotlsay.js
+-rw-r--r--  0 501    20         78 Oct 23 15:55 package/install.js
+-rw-r--r--  0 501    20       2216 Oct 23 15:55 package/package.json
+-rw-r--r--  0 501    20         15 Oct 23 15:55 package/.gitignore
+-rw-r--r--  0 501    20       5727 Oct 23 15:55 package/binary-install.js
+-rw-r--r--  0 501    20        538 Oct 22 23:37 package/README.md
+-rw-r--r--  0 501    20      25504 Oct 23 15:55 package/npm-shrinkwrap.json
+-rw-r--r--  0 501    20       3411 Oct 23 15:55 package/binary.js
+-rw-r--r--  0 501    20        794 Oct 22 23:37 package/CHANGELOG.md
+-rw-r--r--  0 501    20      10845 Oct 22 23:37 package/LICENSE-APACHE

This is all fixable imho, and would take limited effort. I would standardize on 1000 for GID/UID (I'm not sure npm cares either way, you have to go out of your way to get tar to preserve those). Entries can be sorted before being added to the archive.

I genuinely don't understand what's happening with timestamps, are we.. amending .tar files when building them? So the Oct 22 timestamps are from when I ran a different test yesterday? I fear that might be the case, and I'd like to address that separately.
fasterthanlime added a commit that referenced this issue Oct 23, 2024
@fasterthanlime
Censor npm-package hashes for now
0bf8042 
see #1477
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fasterthanlime