You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The vendored dependencies generated by deno cache --vendor --node-modules-dir are not completely reproducible. This inconsistency poses challenges for projects aiming for deterministic builds.
Steps to Reproduce:
Run deno cache --vendor --node-modules-dir on a project.
Save the hashes of all vendored dependencies to a file: sha256sum $(find vendor node_modules -type f | sort) | tee first_hashes.txt
Delete all vendored dependencies rm -rf vendor node_modules
The vendored directories should only change if the vendored dependencies actually changed.
Actual Behavior
The node_modules/.setup-cache.bin file differs with each execution. There may be more files that are not reproducible.
Environment
Deno version: 1.44.4
Additional Context
I am trying to build reproducible deno applications with nix. The idea is basically to ensure all dependencies are locked, then fetch all using deno cache, and then verify that the output matches a predefined hash. These vendored dependencies are then copied to a read-only store and symlinked into the project.
Thank you for your attention to this matter. Your efforts in improving Deno's reliability and consistency are greatly appreciated.
The text was updated successfully, but these errors were encountered:
The vendored dependencies generated by
deno cache --vendor --node-modules-dir
are not completely reproducible. This inconsistency poses challenges for projects aiming for deterministic builds.Steps to Reproduce:
deno cache --vendor --node-modules-dir
on a project.sha256sum $(find vendor node_modules -type f | sort) | tee first_hashes.txt
rm -rf vendor node_modules
deno cache --vendor --node-modules-dir
sha256sum $(find vendor node_modules -type f | sort) | tee second_hashes.txt
diff first_hashes.txt second_hashes.txt
Expected Behavior
The vendored directories should only change if the vendored dependencies actually changed.
Actual Behavior
The
node_modules/.setup-cache.bin
file differs with each execution. There may be more files that are not reproducible.Environment
Deno version: 1.44.4
Additional Context
I am trying to build reproducible deno applications with nix. The idea is basically to ensure all dependencies are locked, then fetch all using
deno cache
, and then verify that the output matches a predefined hash. These vendored dependencies are then copied to a read-only store and symlinked into the project.Thank you for your attention to this matter. Your efforts in improving Deno's reliability and consistency are greatly appreciated.
The text was updated successfully, but these errors were encountered: