You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Due to what is probably a bug in npm¹, lots of package-lock.json files lack the resolved URLs as well as integrity hashes for packages pinned in it.
This creates a problem for our current npm build infrastructure, that relies on a cache-only policy to ensure reproducibility.
Reproducer
One example² that breaks on this scenario is bokehjs, the javascript bits of bokeh:
bokehjs> npm ERR! code ENOTCACHED
bokehjs> npm ERR! request to https://registry.npmjs.org/p-map failed: cache mode is 'only-if-cached' but no cached response is available.
This can be reproduced by building python3.pkgs.bokeh.bokehjs in #215406.
Prior art
With the rust fetcher there is an issue, where cargo lock files don't contain hashes for git dependencies. In that case hashes will be embedded into the derivation in an attribute set cargoLock.outputHashes that maps from <package>-<version> to hash.
Something similar could be implemented for the npm fetcher.
Problem
Due to what is probably a bug in npm¹, lots of
package-lock.json
files lack the resolved URLs as well as integrity hashes for packages pinned in it.This creates a problem for our current npm build infrastructure, that relies on a
cache-only
policy to ensure reproducibility.Reproducer
One example² that breaks on this scenario is
bokehjs
, the javascript bits ofbokeh
:This can be reproduced by building
python3.pkgs.bokeh.bokehjs
in #215406.Prior art
With the rust fetcher there is an issue, where cargo lock files don't contain hashes for git dependencies. In that case hashes will be embedded into the derivation in an attribute set
cargoLock.outputHashes
that maps from<package>-<version>
tohash
.Something similar could be implemented for the npm fetcher.
[1] npm/cli#4460
[2] https://github.com/bokeh/bokeh/blob/91f0c3c9b04da751094642790511593fae41533d/bokehjs/package-lock.json#L101-L114
The text was updated successfully, but these errors were encountered: