I really don't see how Debian can uphold its "mandatory reproducibility" standpoint and depend on an npm package...
So I've overseen a GSoC project in Guix that tried to do the same thing, and at this point I and most of the Guix team are convinced that it just can't be done. The package structures just go far, far too deep, and are very frequently circular; the kinds of problems you have with bootstrapping a compiler to be reasonably reproducible apply here just as badly, but for everyday packages, since packages often depend on prior versions of themselves to build and the package authors are frequently not even aware of this.
I don't like that this is my conclusion. It's holding back some of my own work.
since packages often depend on prior versions of themselves to build and the package authors are frequently not even aware of this
How can that possibly happen?
many of the npm packages aren't actually built directly in a clear way from their source
(I obviously know nothing about npm)
Christopher Allan Webber likes this.
What happens is, a build tool includes some utility at a prior verison when it's written. But then the utility switches to using that build tool, maybe even indirectly through several other packages. Now the build tool requires the utility, and the utility requires the build tool. I don't remember the details, but that's a real example of something some Guix developers were working through IIRC, and there are many other cases of this happening.
Eventually that leads to this (I don't know the provenance of that image though!)