Possible reproducible builds regression in npm/pnpm (needs investigation)

kpcyrd kpcyrd at archlinux.org
Wed Apr 9 11:15:32 BST 2025 

Dear list,

I noticed one of my Arch Linux packages failed to reproduce with the 
following diff:

--- /tmp/rebuilderdBAqaFI/inputs/wrangler-4.9.0-1-x86_64.pkg.tar.zst
+++ /tmp/rebuilderdBAqaFI/out/wrangler-4.9.0-1-x86_64.pkg.tar.zst
├── wrangler-4.9.0-1-x86_64.pkg.tar
│ ├── file list
│ │ @@ -1,9 +1,9 @@
│ │  -rw-r--r--   0 root         (0) root         (0)     6567 
2025-04-08 17:31:17.000000 .BUILDINFO
│ │ --rw-r--r--   0 root         (0) root         (0)    67172 
2025-04-08 17:31:17.000000 .MTREE
│ │ +-rw-r--r--   0 root         (0) root         (0)    67170 
2025-04-08 17:31:17.000000 .MTREE
│ │  -rw-r--r--   0 root         (0) root         (0)      536 
2025-04-08 17:31:17.000000 .PKGINFO
│ │  drwxr-xr-x   0 root         (0) root         (0)        0 
2025-04-08 17:31:17.000000 usr/
│ │  drwxr-xr-x   0 root         (0) root         (0)        0 
2025-04-08 17:31:17.000000 usr/bin/
│ │  lrwxrwxrwx   0 root         (0) root         (0)        0 
2025-04-08 17:31:17.000000 usr/bin/wrangler -> 
../lib/node_modules/wrangler/bin/wrangler.js
│ │  lrwxrwxrwx   0 root         (0) root         (0)        0 
2025-04-08 17:31:17.000000 usr/bin/wrangler2 -> 
../lib/node_modules/wrangler/bin/wrangler.js
│ │  drwxr-xr-x   0 root         (0) root         (0)        0 
2025-04-08 17:31:17.000000 usr/lib/
│ │  drwxr-xr-x   0 root         (0) root         (0)        0 
2025-04-08 17:31:17.000000 usr/lib/node_modules/
│ ├── .MTREE
│ │ ├── .MTREE-content
│ │ │ @@ -12,15 +12,15 @@
│ │ │  ./usr/lib time=1744133477.0 type=dir
│ │ │  ./usr/lib/node_modules time=1744133477.0 type=dir
│ │ │  /set mode=644
│ │ │  ./usr/lib/node_modules/wrangler time=1744133477.0 mode=755 type=dir
│ │ │  ./usr/lib/node_modules/wrangler/README.md time=1744133477.0 
size=3190 
sha256digest=a6e290c2b3ce6eca749bad68f8341e8b26fc165cb7c0bb1bdf52ee5175842cbe
│ │ │  ./usr/lib/node_modules/wrangler/config-schema.json 
time=1744133477.0 size=88874 
sha256digest=4aa5fd46220a5c0643e22e6c8e8969c6a0214d13f05bafa927a9b71fe9370d33
│ │ │  ./usr/lib/node_modules/wrangler/kv-asset-handler.js 
time=1744133477.0 size=46 
sha256digest=6f1fde6806a68eaa919a699f2af7e95f93fd0bdcb8c6d717042cb6c01bf3e11f
│ │ │ -./usr/lib/node_modules/wrangler/package.json time=1744133477.0 
size=5650 
sha256digest=30228bf63c64ad07ecb30438974a8ba66e8a1bc42b5c4e74f56db256650b26d6
│ │ │ +./usr/lib/node_modules/wrangler/package.json time=1744133477.0 
size=5650 
sha256digest=bdace054dc322d8e020e7fcdc7820a59de87d48fb3f24331bc4eee9e9082f26e
│ │ │  ./usr/lib/node_modules/wrangler/bin time=1744133477.0 mode=755 
type=dir
│ │ │  ./usr/lib/node_modules/wrangler/bin/wrangler.js time=1744133477.0 
mode=755 size=3121 
sha256digest=387560ba9900a1b6efdcd94c20f9d6ffcb06a195bbf036cfcd54e89f2f7b0758
│ │ │  /set mode=755
│ │ │  ./usr/lib/node_modules/wrangler/node_modules time=1744133477.0 
type=dir
│ │ │  /set mode=777
│ │ │  ./usr/lib/node_modules/wrangler/node_modules/.bin 
time=1744133477.0 mode=755 type=dir
│ │ │  ./usr/lib/node_modules/wrangler/node_modules/.bin/acorn 
time=1744133477.0 type=link link=../acorn/bin/acorn
│ ├── usr/lib/node_modules/wrangler/package.json
│ │ ├── Pretty-printed
│ │ │┄ Ordering differences only
│ │ │ @@ -132,17 +132,17 @@
│ │ │          "vitest": "~3.0.8",
│ │ │          "vitest-websocket-mock": "^0.4.0",
│ │ │          "ws": "8.18.0",
│ │ │          "xdg-app-paths": "^8.3.0",
│ │ │          "xxhash-wasm": "^1.0.1",
│ │ │          "yargs": "^17.7.2",
│ │ │          "@cloudflare/cli": "1.1.1",
│ │ │ +        "@cloudflare/pages-shared": "^0.13.24",
│ │ │          "@cloudflare/eslint-config-worker": "1.1.0",
│ │ │          "@cloudflare/workers-shared": "0.17.1",
│ │ │ -        "@cloudflare/pages-shared": "^0.13.24",
│ │ │          "@cloudflare/workers-tsconfig": "0.0.0"
│ │ │      },
│ │ │      "peerDependencies": {
│ │ │          "@cloudflare/workers-types": "^4.20250405.0"
│ │ │      },
│ │ │      "peerDependenciesMeta": {
│ │ │          "@cloudflare/workers-types": {

I believe this is either a regression in npm or pnpm (it's hard to say 
without further investigation) that may also affect other distros.

The specific build instructions for that package are:

   pnpm install -C packages/wrangler --frozen-lockfile
   turbo build
   pnpm pack -C packages/wrangler

Which builds a .tgz (which is an npm package format) and then uses:

   npm install -g --prefix "${pkgdir}/usr" 
"workers-sdk-wrangler-${pkgver}/packages/wrangler/wrangler-${pkgver}.tgz"

To install the built npm application into a directory that is then 
packed into an Arch Linux .pkg.tar.zst.

I'm suspecting that, at some point, the package.json is deserialized 
into a javascript data structure, and then serialized back into json, 
with their dictionary/hashmap implementation causing ordering issues 
(although I'm surprised it's just a single key).

I didn't report this upstream yet because it's not clear if the 
deserialize-then-serialize-again is done by pnpm when building the .tgz, 
or by npm when extracting the .tgz.

I'm very occupied with irl things at the moment, maybe somebody feels 
inspired to look into this.

cheers,
kpcyrd

More information about the Reproducible-builds mailing list