-
Notifications
You must be signed in to change notification settings - Fork 522
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
verify hermeticity of node_modules directory #1
Comments
There is one additional requirement needed for reproducibility: the npm registry needs to return identical packages for a given version. As I understand, this is not guaranteed to be the case for npmjs.org. Packages can change for any version without warning. |
Any pointer to where I can read more about that? I know npm allows you to
unpublish a package for the first few hours, but other than that I thought
they are unchangeable.
…On Mon, Nov 6, 2017, 12:14 PM Jupp Müller ***@***.***> wrote:
There is one additional requirement needed for reproducibility: the npm
registry needs to return identical packages for a given version. As I
understand, this is not guaranteed to be the case for npmjs.org. Packages
can change for any version without warning.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAC5IxniSGv2n-RuGpegPTGkIt3InIBVks5sz2jCgaJpZM4PDp3I>
.
|
Alex, you are right. Npm violated that rule during the left-pad disaster, thats where my misconception originated.
|
…e_modules during WORKSPACE instantiation. If you add in your `WORKSPACE`: ```python npm_install( name = "foo", packages = ":package.json", ) ``` Then in the `BUILD` file you can write: ```python nodejs_binary( name = "bar", node_modules = "@foo//:node_modules", ... ) ```
In the time since this issue was filed, we introduced "bazel-managed node modules". If you want the behavior that the I don't think we should fix this in the case of user-managed node_modules - if you install them yourself, then you are subject to the usual pitfall of forgetting to re-install after dependencies change. |
Fixes #1 PiperOrigin-RevId: 156909101
We encourage users to use the locking mechanism in their package manager, but we don't check that the dependencies match the versions in the lock file for each run.
Any time the node_modules directory changes, we should run
yarn check --integrity
.currently we only do this when the repository_rule runs, and it's not re-run until the WORKSPACE changes.
Not sure what to do about
npm
.The text was updated successfully, but these errors were encountered: