Possible reproducible builds regression in npm/pnpm (needs investigation)

kpcyrd kpcyrd at archlinux.org
Fri Apr 11 21:54:23 UTC 2025 

On 4/11/25 10:30 PM, Chris Lamb wrote:
> That would be my reading as well. I don't think we're not seeing this
> in Debian yet, as we should see 100s of packages suddenly become
> unreproducible (right?). But this fact might be usefut: what versions
> of npm and pnpm are you using? At least we can narrow it down to a
> version range.

I'm not sure if Debian uses the same commands, from what I can tell it 
uses dh-nodejs:

https://packages.debian.org/sid/dh-nodejs
https://salsa.debian.org/js-team/pkg-js-tools

But from there on it's difficult for me to follow along.

> A very cursory search of the npm codebase finds 10s of
> JSON.stringify(...) callsites related to the package.json file, hence
> worth knowing this. :)

Definitely worth documenting for future archive readers:

npm: 11.3.0-1
pnpm: 10.8.0-1

The -1 suffix is Arch Linux specific and the 3 digits are the upstream 
version.

The current diff varies slightly more:

│ ├── usr/lib/node_modules/wrangler/package.json
│ │ ├── Pretty-printed
│ │ │┄ Ordering differences only
│ │ │ @@ -131,18 +131,18 @@
│ │ │          "update-check": "^1.5.4",
│ │ │          "vitest": "~3.0.8",
│ │ │          "vitest-websocket-mock": "^0.4.0",
│ │ │          "ws": "8.18.0",
│ │ │          "xdg-app-paths": "^8.3.0",
│ │ │          "xxhash-wasm": "^1.0.1",
│ │ │          "yargs": "^17.7.2",
│ │ │ -        "@cloudflare/cli": "1.1.1",
│ │ │ +        "@cloudflare/pages-shared": "^0.13.25",
│ │ │          "@cloudflare/eslint-config-worker": "1.1.0",
│ │ │ +        "@cloudflare/cli": "1.1.1",
│ │ │          "@cloudflare/workers-shared": "0.17.1",
│ │ │ -        "@cloudflare/pages-shared": "^0.13.25",
│ │ │          "@cloudflare/workers-tsconfig": "0.0.0"
│ │ │      },
│ │ │      "peerDependencies": {
│ │ │          "@cloudflare/workers-types": "^4.20250408.0"
│ │ │      },
│ │ │      "peerDependenciesMeta": {
│ │ │          "@cloudflare/workers-types": {

The full buildinfo file looks like this:

format = 2
pkgname = wrangler
pkgbase = wrangler
pkgver = 4.9.1-1
pkgarch = x86_64
pkgbuild_sha256sum = 
25fc51f9a3985edac8b5cd742a0e803b8ebfa486cc0c707eb8379edc67f82869
packager = kpcyrd <kpcyrd at archlinux.org>
builddate = 1744192662
builddir = /build
startdir = /startdir
buildtool = devtools
buildtoolver = 1:1.3.2-1-any
buildenv = !distcc
buildenv = color
buildenv = !ccache
buildenv = check
buildenv = !sign
options = strip
options = docs
options = !libtool
options = !staticlibs
options = emptydirs
options = zipman
options = purge
options = debug
options = lto
installed = acl-2.3.2-1-x86_64
installed = archlinux-keyring-20250123-1-any
installed = attr-2.5.2-1-x86_64
installed = audit-4.0.3-1-x86_64
installed = autoconf-2.72-1-any
installed = automake-1.17-1-any
installed = base-devel-1-2-any
installed = bash-5.2.037-2-x86_64
installed = binutils-2.44-1-x86_64
installed = bison-3.8.2-8-x86_64
installed = brotli-1.1.0-3-x86_64
installed = bzip2-1.0.8-6-x86_64
installed = c-ares-1.34.5-1-x86_64
installed = ca-certificates-20240618-1-any
installed = ca-certificates-mozilla-3.110-1-x86_64
installed = ca-certificates-utils-20240618-1-any
installed = coreutils-9.6-4-x86_64
installed = cryptsetup-2.7.5-2-x86_64
installed = curl-8.13.0-1-x86_64
installed = db5.3-5.3.28-5-x86_64
installed = dbus-1.16.2-1-x86_64
installed = dbus-broker-36-4-x86_64
installed = dbus-broker-units-36-4-x86_64
installed = dbus-units-36-4-x86_64
installed = debugedit-5.1-1-x86_64
installed = device-mapper-2.03.31-1-x86_64
installed = diffutils-3.11-2-x86_64
installed = e2fsprogs-1.47.2-2-x86_64
installed = esbuild-0.25.2-1-x86_64
installed = expat-2.7.1-1-x86_64
installed = fakeroot-1.37.1.1-1-x86_64
installed = file-5.46-4-x86_64
installed = filesystem-2024.11.21-1-any
installed = findutils-4.10.0-2-x86_64
installed = flex-2.6.4-5-x86_64
installed = gawk-5.3.2-1-x86_64
installed = gc-8.2.8-2-x86_64
installed = gcc-14.2.1+r753+g1cd744a6828f-1-x86_64
installed = gcc-libs-14.2.1+r753+g1cd744a6828f-1-x86_64
installed = gdbm-1.25-1-x86_64
installed = gettext-0.24-1-x86_64
installed = glib2-2.84.1-1-x86_64
installed = glibc-2.41+r9+ga900dbaf70f0-1-x86_64
installed = gmp-6.3.0-2-x86_64
installed = gnulib-l10n-20241231-1-any
installed = gnupg-2.4.7-1-x86_64
installed = gnutls-3.8.9-1-x86_64
installed = go-2:1.24.2-1-x86_64
installed = gpgme-1.24.2-1-x86_64
installed = grep-3.11-1-x86_64
installed = groff-1.23.0-7-x86_64
installed = guile-3.0.10-1-x86_64
installed = gzip-1.13-4-x86_64
installed = hwdata-0.394-1-any
installed = iana-etc-20250328-1-any
installed = icu-76.1-1-x86_64
installed = jansson-2.14.1-1-x86_64
installed = jq-1.7.1-2-x86_64
installed = json-c-0.18-1-x86_64
installed = kbd-2.7.1-2-x86_64
installed = keyutils-1.6.3-3-x86_64
installed = kmod-34.2-1-x86_64
installed = krb5-1.21.3-1-x86_64
installed = leancrypto-1.3.0-1-x86_64
installed = libarchive-3.7.9-1-x86_64
installed = libassuan-3.0.0-1-x86_64
installed = libc++-19.1.7-1-x86_64
installed = libc++abi-19.1.7-1-x86_64
installed = libcap-2.75-1-x86_64
installed = libcap-ng-0.8.5-3-x86_64
installed = libedit-20250104_3.1-1-x86_64
installed = libelf-0.192-4-x86_64
installed = libevent-2.1.12-4-x86_64
installed = libffi-3.4.7-1-x86_64
installed = libgcrypt-1.11.0-3-x86_64
installed = libgpg-error-1.51-1-x86_64
installed = libidn2-2.3.7-1-x86_64
installed = libisl-0.27-1-x86_64
installed = libksba-1.6.7-2-x86_64
installed = libldap-2.6.9-1-x86_64
installed = libmpc-1.3.1-2-x86_64
installed = libnghttp2-1.65.0-1-x86_64
installed = libnghttp3-1.8.0-1-x86_64
installed = libngtcp2-1.11.0-1-x86_64
installed = libnsl-2.0.1-1-x86_64
installed = libp11-kit-0.25.5-1-x86_64
installed = libpsl-0.21.5-2-x86_64
installed = libsasl-2.1.28-5-x86_64
installed = libseccomp-2.5.6-1-x86_64
installed = libsecret-0.21.7-1-x86_64
installed = libssh2-1.11.1-1-x86_64
installed = libsysprof-capture-48.0-3-x86_64
installed = libtasn1-4.20.0-1-x86_64
installed = libtirpc-1.3.6-1-x86_64
installed = libtool-2.5.4+r1+gbaa1fe41-3-x86_64
installed = libunistring-1.3-1-x86_64
installed = libusb-1.0.28-1-x86_64
installed = libuv-1.50.0-1-x86_64
installed = libverto-0.3.2-5-x86_64
installed = libxcrypt-4.4.38-1-x86_64
installed = libxml2-2.13.7-1-x86_64
installed = libyaml-0.2.5-3-x86_64
installed = linux-api-headers-6.13-1-x86_64
installed = lld-19.1.7-1-x86_64
installed = llvm-libs-19.1.7-1-x86_64
installed = lmdb-0.9.33-1-x86_64
installed = lz4-1:1.10.0-2-x86_64
installed = m4-1.4.19-3-x86_64
installed = make-4.4.1-2-x86_64
installed = mpdecimal-4.0.0-2-x86_64
installed = mpfr-4.2.2-1-x86_64
installed = ncurses-6.5-3-x86_64
installed = nettle-3.10.1-1-x86_64
installed = node-gyp-11.2.0-1-any
installed = nodejs-23.9.0-1-x86_64
installed = nodejs-nopt-7.2.1-1-any
installed = npm-11.3.0-1-any
installed = npth-1.8-1-x86_64
installed = oniguruma-6.9.10-1-x86_64
installed = openssl-3.4.1-1-x86_64
installed = p11-kit-0.25.5-1-x86_64
installed = pacman-7.0.0.r6.gc685ae6-2-x86_64
installed = pacman-mirrorlist-20250311-1-any
installed = pam-1.7.0-2-x86_64
installed = pambase-20230918-2-any
installed = patch-2.7.6-10-x86_64
installed = pcre2-10.45-1-x86_64
installed = perl-5.40.1-2-x86_64
installed = pinentry-1.3.1-5-x86_64
installed = pkgconf-2.4.3-1-x86_64
installed = pnpm-10.8.0-1-any
installed = popt-1.19-2-x86_64
installed = python-3.13.2-1-x86_64
installed = python-argcomplete-3.5.3-1-any
installed = python-tomlkit-0.13.2-2-any
installed = python-xmltodict-0.14.2-1-any
installed = python-yaml-6.0.2-2-x86_64
installed = readline-8.2.013-1-x86_64
installed = rust-1:1.86.0-1-x86_64
installed = rust-wasm-1:1.86.0-1-x86_64
installed = sed-4.9-3-x86_64
installed = semver-7.7.1-1-any
installed = shadow-4.17.4-1-x86_64
installed = simdjson-1:3.12.3-1-x86_64
installed = sqlite-3.49.1-1-x86_64
installed = sudo-1.9.16.p2-2-x86_64
installed = systemd-257.5-1-x86_64
installed = systemd-libs-257.5-1-x86_64
installed = tar-1.35-2-x86_64
installed = texinfo-7.2-1-x86_64
installed = tpm2-tss-4.1.3-1-x86_64
installed = turbo-2.5.0-1-x86_64
installed = typescript-5.8.3-1-any
installed = tzdata-2025b-1-x86_64
installed = util-linux-2.41-4-x86_64
installed = util-linux-libs-2.41-4-x86_64
installed = wasm-bindgen-0.2.100-1-x86_64
installed = wasm-component-ld-0.5.12-1-x86_64
installed = wasm-pack-0.13.1-1-x86_64
installed = which-2.23-1-x86_64
installed = worker-build-0.1.2-1-x86_64
installed = workerd-1.20250408.0-1-x86_64
installed = xxhash-0.8.3-1-x86_64
installed = xz-5.8.1-1-x86_64
installed = yq-3.4.3-2-any
installed = zlib-1:1.3.1-2-x86_64
installed = zstd-1.5.7-2-x86_64

More information about the rb-general mailing list