Security feature request : Use consistent file names in published files

[dylang]

Description

Because of the npm supply attacks, it is nearly required for some of us to check the changes in every published package before allowing upgrades.

The problem is that Vite compiles files and adds a unique hash to filename.

Small changes ripple to 36 thousand changed lines, making it impossible to visually scan for unexpected code.

Note: Because of how big the diff is, that page might take a while to load.

Suggested solution

• Instead of hashes, use the another method to give the files unique names that should stay consistent between most builds, with a priority on the largest bundle (with 36,000 lines) being the most important to not change.
• Other changes might still be needed to not pollute the diff, but that can be a separate ticket.

Alternative

No response

Additional context

Here's what a similar number of changes could look like.

Validations

• Follow our Code of Conduct
• Read the Contributing Guidelines.
• Read the docs.
• Check that there isn't already an issue that request the same feature to avoid creating a duplicate.

[bluwy]

I personally think this is a good idea as I had trouble comparing the code between vite versions locally too with the different hashes.

[hi-ogawa]

Tsdown has https://tsdown.dev/options/unbundle mode. I'm not sure about the trade-off (too many files might slow down import?), but may be worth the try.