I really don't see how Debian can uphold its "mandatory reproducibility" standpoint and depend on an npm package...
So I've overseen a GSoC project in Guix that tried to do the same thing, and at this point I and most of the Guix team are convinced that it just can't be done. The package structures just go far, far too deep, and are very frequently circular; the kinds of problems you have with bootstrapping a compiler to be reasonably reproducible apply here just as badly, but for everyday packages, since packages often depend on prior versions of themselves to build and the package authors are frequently not even aware of this.
Sadly, I think npm broke the hope of a free web using its system, and most of javascript uses it. I spent a long time hoping we could integrate it, and many I know have spent plenty of effort, but I'm afraid that npm, in its current design, is incompatible with a safely reproducible system.
Sadly that screws over most free software web applications. At this point our best bet, I think, is to put our hopes on languages which aren't Javascript but compile to either Javascript or the browser, and in the meanwhile to write vanilla javascript that doesn't have these constraints.
I don't like that this is my conclusion. It's holding back some of my own work.
Christopher Allan Webber at 2017-08-17T13:46:59Z
AJ Jordan, Tyng-Ruey Chuang likes this.
Hmm. Thanks for your thoughtful and honest assessment. That *is* a bummer...
since packages often depend on prior versions of themselves to build and the package authors are frequently not even aware of this
How can that possibly happen?
many of the npm packages aren't actually built directly in a clear way from their source
whaaa?
(I obviously know nothing about npm)
Christopher Allan Webber likes this.
@joeyh npm packages include their dependencies recursively. See this blogpost for more info. npm encourages many small packages, many of them smaller than their metadata.
What happens is, a build tool includes some utility at a prior verison when it's written. But then the utility switches to using that build tool, maybe even indirectly through several other packages. Now the build tool requires the utility, and the utility requires the build tool. I don't remember the details, but that's a real example of something some Guix developers were working through IIRC, and there are many other cases of this happening.
Eventually that leads to this (I don't know the provenance of that image though!)