Possible reproducible builds regression in npm/pnpm (needs investigation)

[Chris Lamb]

kpcyrd wrote:

> I'm suspecting that, at some point, the package.json is deserialized 
> into a javascript data structure, and then serialized back into json, 
> with their dictionary/hashmap implementation causing ordering issues 

That would be my reading as well. I don't think we're not seeing this
in Debian yet, as we should see 100s of packages suddenly become
unreproducible (right?). But this fact might be usefut: what versions
of npm and pnpm are you using? At least we can narrow it down to a
version range.

A very cursory search of the npm codebase finds 10s of
JSON.stringify(...) callsites related to the package.json file, hence
worth knowing this. :)


Best wishes,

-- 
      o
    ⬋   ⬊      Chris Lamb
   o     o     reproducible-builds.org 💠
    ⬊   ⬋
      o