verify hermeticity of node_modules directory #1

alexeagle · 2017-08-26T23:52:39Z

We encourage users to use the locking mechanism in their package manager, but we don't check that the dependencies match the versions in the lock file for each run.

Any time the node_modules directory changes, we should run yarn check --integrity.

catches issue with user having wrong yarn version installed
prevents builds failing due to unexpected changes in node_modules (eg. user has installed something and not updated the yarn.lock)

currently we only do this when the repository_rule runs, and it's not re-run until the WORKSPACE changes.

Not sure what to do about npm.

The text was updated successfully, but these errors were encountered:

jupp0r · 2017-11-06T20:14:57Z

There is one additional requirement needed for reproducibility: the npm registry needs to return identical packages for a given version. As I understand, this is not guaranteed to be the case for npmjs.org. Packages can change for any version without warning.

alexeagle · 2017-11-06T21:11:20Z

Any pointer to where I can read more about that? I know npm allows you to unpublish a package for the first few hours, but other than that I thought they are unchangeable.

…

On Mon, Nov 6, 2017, 12:14 PM Jupp Müller ***@***.***> wrote: There is one additional requirement needed for reproducibility: the npm registry needs to return identical packages for a given version. As I understand, this is not guaranteed to be the case for npmjs.org. Packages can change for any version without warning. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAC5IxniSGv2n-RuGpegPTGkIt3InIBVks5sz2jCgaJpZM4PDp3I> .

jupp0r · 2017-11-06T21:48:35Z

Alex, you are right. Npm violated that rule during the left-pad disaster, thats where my misconception originated.

Once a package is published with a given name and version, that specific name and version combination can never be used again, even if it is removed with npm-unpublish.

https://docs.npmjs.com/cli/publish

…e_modules during WORKSPACE instantiation. If you add in your `WORKSPACE`: ```python npm_install( name = "foo", packages = ":package.json", ) ``` Then in the `BUILD` file you can write: ```python nodejs_binary( name = "bar", node_modules = "@foo//:node_modules", ... ) ```

alexeagle · 2018-11-30T18:09:38Z

In the time since this issue was filed, we introduced "bazel-managed node modules".

If you want the behavior that the node_modules is always up-to-date with the current build, you should use that feature.

I don't think we should fix this in the case of user-managed node_modules - if you install them yourself, then you are subject to the usual pitfall of forgetting to re-install after dependencies change.

Minor fix

Fixes #1 PiperOrigin-RevId: 156909101

alexeagle mentioned this issue Aug 26, 2017

Run yarn check --integrity at the right time bazelbuild/rules_typescript#8

Closed

alexeagle added the enhancement label Sep 14, 2017

alexeagle mentioned this issue Nov 2, 2017

Project does not build due to bazel error angular/tsickle#639

Closed

alexeagle added the help wanted label Nov 13, 2017

alexeagle mentioned this issue Jan 10, 2018

WIP: initial version of ng_package angular/angular#21431

Closed

alexeagle added the beta-blocking label Jan 23, 2018

alexeagle mentioned this issue Feb 15, 2018

bazel test ... fails angular/angular-bazel-example#86

Closed

alexeagle closed this as completed Nov 30, 2018

mrmeku referenced this issue in mrmeku/rules_nodejs Apr 17, 2020

Merge pull request #1 from mrmeku/linker_no_root_symlink

c61b31f

Minor fix

alexeagle pushed a commit that referenced this issue May 26, 2020

Update protractor_web_test.bzl (#1)

fe868ce

matthewjh mentioned this issue Jul 29, 2020

v2: workspace name imports not working with rollup #2086

Closed

alexeagle mentioned this issue Sep 8, 2020

[governance] resolve ownership of rules_typescript #2120

Closed

alexeagle pushed a commit that referenced this issue Oct 21, 2020

Allow ts_library without tsconfig attribute.

7654302

Fixes #1 PiperOrigin-RevId: 156909101

alexeagle mentioned this issue May 19, 2021

Documentation intro page is out of date with respect to Bazel-managed dependencies #2686

Closed

matthewjh mentioned this issue Nov 30, 2021

Planning for 5.0 #2892

Closed

lbhdc mentioned this issue Dec 27, 2022

[FR]: Support Angular 13+ #3614

Closed

orblix mentioned this issue Jan 11, 2023

Migrating a create-react-app to use Bazel fails due to conflicting eslint configs #3617

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

verify hermeticity of node_modules directory #1

verify hermeticity of node_modules directory #1

alexeagle commented Aug 26, 2017

jupp0r commented Nov 6, 2017

alexeagle commented Nov 6, 2017 via email

jupp0r commented Nov 6, 2017

alexeagle commented Nov 30, 2018

verify hermeticity of node_modules directory #1

verify hermeticity of node_modules directory #1

Comments

alexeagle commented Aug 26, 2017

jupp0r commented Nov 6, 2017

alexeagle commented Nov 6, 2017 via email

jupp0r commented Nov 6, 2017

alexeagle commented Nov 30, 2018