Improve reproducibility for vendored dependencies

[zebreus]

The vendored dependencies generated by deno cache --vendor --node-modules-dir are not completely reproducible. This inconsistency poses challenges for projects aiming for deterministic builds.

Steps to Reproduce:

• Run deno cache --vendor --node-modules-dir on a project.
• Save the hashes of all vendored dependencies to a file: sha256sum $(find vendor node_modules -type f | sort) | tee first_hashes.txt
• Delete all vendored dependencies rm -rf vendor node_modules
• Recreate them: deno cache --vendor --node-modules-dir
• Save the hashes of all vendored dependencies to a second file: sha256sum $(find vendor node_modules -type f | sort) | tee second_hashes.txt
• View the differences between the hashes: diff first_hashes.txt second_hashes.txt

683c683
< 8d0ebafdcb329e0fa5c924e3edd3f8aae215631cbe723f5e661cab43d0a4cd3e  node_modules/.deno/.setup-cache.bin
---
> 6dbe428cde5a3286a7a00035206ea7688247b70ccfb6fe639bbd43123979cf85  node_modules/.deno/.setup-cache.bin

Expected Behavior

The vendored directories should only change if the vendored dependencies actually changed.

Actual Behavior

The node_modules/.setup-cache.bin file differs with each execution. There may be more files that are not reproducible.

Environment

Deno version: 1.44.4

Additional Context

I am trying to build reproducible deno applications with nix. The idea is basically to ensure all dependencies are locked, then fetch all using deno cache, and then verify that the output matches a predefined hash. These vendored dependencies are then copied to a read-only store and symlinked into the project.

Thank you for your attention to this matter. Your efforts in improving Deno's reliability and consistency are greatly appreciated.

[dsherret]

Fixed by #24480