npm pack changes shasum #5733

Closed
funerr opened this Issue Jul 19, 2014 · 7 comments

5 participants

@funerr

It happened when I did the following:

npm pack ms
mv ms-0.6.2.tgz npm-pack-ms-0.6.2.tgz
sudo wget http://registry.npmjs.org/ms/-/ms-0.6.2.tgz
sha1sum ms-0.6.2.tgz  npm-pack-ms-0.6.2.tgz

-- Results:

d89c2124c6fdc1353d65a8b77bf1aac4b193708c  ms-0.6.2.tgz
f13296ecf600d296c9f2ff2b61f2f9eb12a69c79  npm-pack-ms-0.6.2.tgz

Why is this?

Note:

"_id":"ms@0.6.2","dist":{"shasum":"d89c2124c6fdc1353d65a8b77bf1aac4b193708c","tarball":"http://registry.npmjs.org/ms/-/ms-0.6.2.tgz"}
@rlidwka

Hmm... it might change package descriptor file, modification times or owner usernames of all the files could also be changed.

You can run find -exec sha1sum {} \; to find out which files are actually changes, if any.

@othiym23

I'm going to guess that it's changes to package.json between the two, because they're going to have (at least) different resolved fields. In general, installing and then repacking packages is not going to be idempotent. Is it important for you that the two be the same, and if so, why?

@iarna iarna added the support label Sep 17, 2014
@smikes

Is this still a problem for you?

I tested this with a recent version of npm (2.2.0) and a different module, and in my test the shasum of both a fresh npm pack and the uploaded module were the same. However, I did also make sure that nothing else -- such as an old packed tgz or the downloaded tgz file -- were in the directory I was packing.

There have been a lot of improvements to npm -- especially around conflicts and race conditions during install -- since July 2014. Can you try updating your npm installation?

To update npm, run npm -g install npm@latest

For some Linux distributions (Debian/Ubuntu and RedHat/CentOS), the latest node version provided by the distribution may lag behind the stable version. Here are instructions from NodeSource on getting the latest node.

We are trying to clean up older npm issues, so if we don't hear back from you within a week, we will close this issue. (Don't worry -- you can always come back again and open a new issue!)

Thanks!

@funerr

@smikes, From the checks I did today on windows it worked (latest npm). I would advise to check it on some linux distro (preferably on ubuntu) and try to lower the npm version until we find the corrupted npm version.

@smikes

I'm glad to hear it works for you on Windows with the latest npm; that's great.

If you have the time to track down the revision that introduced / fixed this bug, or if you discover that it's still a problem when you have a chance to check on Ubuntu, please let us know here.

@funerr

@smikes, I can't find the version (my computer was formatted) but I can guess (from the issue date - Jul 19, 2014) that the npm version should be up to 1.4.20 (2c501dd).

@othiym23

I'm going to call this issue resolved, with the caveats that the following are still outstanding questions:

In general, installing and then repacking packages is not going to be idempotent. Is it important for you that the two be the same, and if so, why?

@othiym23 othiym23 closed this Jan 31, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment