You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
The build process currently does not support reproducible builds. This is necessary for some packaging systems, like Nix.
Describe the solution you'd like
Support reproducible builds by updating the package-lock.json file to include integrity and resolved fields.
Describe alternatives you've considered
N/A
Additional context
I am trying to package zwave-js-ui for Nix. However, the build system fails because the lockfile is missing the integrity hashes, which it uses to copy the node modules from a cache store.
I'm not sure how you generated the lock file? When I do the following (from alpine:3.18.4 image), I get something completely different than what currently exists:
Of course, if you do the same at a different time, the dependent packages may update.
I also noticed the Dockerfile is using npm install. This seems less than ideal as it is possible for npm to update packages? This makes the Docker builds also non-reproducible. Along with the lockfile update, the Dockerfile should probably use npm ci for installation. My understanding is that npm ci will not re-write any packages.
The text was updated successfully, but these errors were encountered:
I also noticed the Dockerfile is using npm install
yeah it does but when doing releases that line is not triggered as it will re-use node_modules from the previous action step, I did this to optimize the build. Anyway for consistency that could be converted to npm ci :)
Is your feature request related to a problem? Please describe.
The build process currently does not support reproducible builds. This is necessary for some packaging systems, like Nix.
Describe the solution you'd like
Support reproducible builds by updating the
package-lock.json
file to includeintegrity
andresolved
fields.Describe alternatives you've considered
N/A
Additional context
I am trying to package zwave-js-ui for Nix. However, the build system fails because the lockfile is missing the integrity hashes, which it uses to copy the node modules from a cache store.
I'm not sure how you generated the lock file? When I do the following (from
alpine:3.18.4
image), I get something completely different than what currently exists:Here is the result: kpine@e6a8380
Of course, if you do the same at a different time, the dependent packages may update.
I also noticed the Dockerfile is using
npm install
. This seems less than ideal as it is possible for npm to update packages? This makes the Docker builds also non-reproducible. Along with the lockfile update, the Dockerfile should probably usenpm ci
for installation. My understanding is thatnpm ci
will not re-write any packages.The text was updated successfully, but these errors were encountered: