-
Notifications
You must be signed in to change notification settings - Fork 781
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reproducible npm tarballs #1545
Comments
It turns out my hunch was correct. The npm cli has indeed already done all the heavy lifting in terms of file timestamps, file order in the archive and other glue in the tgz file, all being deterministic and reproducible. When I check out 2.16.0 in a clean git clone of our repo, and run the build, and run However, when I do the same from Linux (Node 12, npm 7.5.2), the extracted files are identical but the tgz checksum does not match. With the help of diffoscope the difference was very quickly found: --- npm-2.16.0.tgz
+++ qunit-2.16.0.tgz
├── filetype from file(1)
│ @@ -1 +1 @@
│ -gzip compressed data, max compression
│ +gzip compressed data This turns out to be due to a difference in zlib compression defaults between platforms. This was already reported and fixed upstream (npm/pacote#71, npm/cli#2922) and released as part of npm 7.7.0, so if we upgrade the reproducible-builds CI job from Node 12 to Node 14, we can probably add a simple |
I'd like to keep our CI simple and use only pre-installed Node+npm versions. This means either Node 12 or 14 with npm 6.x, or Node 16 with latest npm 7.x. We can't use Node 14 with npm 6.x because npm-pack wasn't yet deterministic there (npm/pacote#71), which was fixed in npm 7.7.0. But, updating the job to Node 16 (and thus latest npm 7.20), fails the build due to an unrelated bug in npm with v1 lock file processing being broken for the |
Locally, I use Node 14 with npm 7.5.2, and installation still works there, so it's presumably not an (intentional) breaking change in 7.0, but rather a regression bug introduced later in the npm 7.x series between 7.5.2 and 7.20.3. |
We currently have a reproducible
qunit.js
release artifact.It is byte-for-byte identical between what one can independently generate using
npm run build
(release doc), and what we have published to the npm registry and on code.jquery.com CDN.As a next step, I'd like for downstream tarball created by npm to also be reproducible, and for the verification process to be automated from a nighly Travis CI cronjob (e.g. build latest release tag, and compare against downloaded tarball).
Some pointers to get going:
https://registry.npmjs.org/NAME/-/NAME-VERSION.tgz
such ashttps://registry.npmjs.org/oojs/-/oojs-5.0.0.tgz
foroojs@5.0.0
git tag --sort=v:refname --list '[0-9]*'
to find the latest tag, as sorted by SemVer.See also:
The text was updated successfully, but these errors were encountered: