So I've overseen a GSoC project in Guix that tried to do the same thing, and at this point I and most of the Guix team are convinced that it just can't be done. The package structures just go far, far too deep, and are very frequently circular; the kinds of problems you have with bootstrapping a compiler to be reasonably reproducible apply here just as badly, but for everyday packages, since packages often depend on prior versions of themselves to build and the package authors are frequently not even aware of this.
Sadly, I think npm broke the hope of a free web using its system, and most of javascript uses it. I spent a long time hoping we could integrate it, and many I know have spent plenty of effort, but I'm afraid that npm, in its current design, is incompatible with a safely reproducible system.
Sadly that screws over most free software web applications. At this point our best bet, I think, is to put our hopes on languages which aren't Javascript but compile to either Javascript or the browser, and in the meanwhile to write vanilla javascript that doesn't have these constraints.
I don't like that this is my conclusion. It's holding back some of my own work.
AJ Jordan, Tyng-Ruey Chuang likes this.
@cwebber@identi.ca two things, first wasn't the guix project an attempt to solve the problem in general automatically? That's going to be really hard. I think Debian's packaging may generate a template, but all of the tools end up requiring manual curation.
Diane Trout at 2017-08-19T05:02:27Z
AJ Jordan likes this.
@cwebber@identi.ca second thing is i finally saw the the post you responded to, and that sounds like modifying pip or npm to install Debian packages if available, instead of getting everything from the language based repository. Of course i haven't watched the video and so may still be totally wrong
Diane Trout at 2017-08-19T05:04:38Z
AJ Jordan, Christopher Allan Webber likes this.
Guix's solution was to automate as much as possible, but in the end it required manual curation. Even simple npm packages tend to have hundreds to thousands of dependencies.
Making this doubly complicated is that many of the npm packages aren't actually built directly in a clear way from their source. If you really care about reproducibility, not being able to get easily from source code to some usable package is a real problem.
Christopher Allan Webber at 2017-08-19T13:35:41Z
AJ Jordan likes this.