[BUG] created package size differs between 10.1.0 vs 10.2.3

[sigJoe]

Is there an existing issue for this?

• [X] I have searched the existing issues

This issue exists in the latest npm version

• [X] I am using the latest npm

Current Behavior

Not sure if bug, but I certainly found this unexpected. I was working on some tooling that verified package integrity, and found that packages built on node v20.10.0 (npm v10.2.3) or later are 28 bytes larger and probably a bit different from those created on node v20.9.0 (npm v10.1.0) or earlier.

I confirmed previous behaviour back to node v16.17.1 (npm v8.15.0). New behaviour exists in latest node 22.3.0 (npm v10.8.1).

I didn't see any explicit mention in the documentation, so I figured I'd post and ask if this was intended.

Gzip shows the method deflate and CRC are the same despite having a different compressed size.

# gunzip -lv 20.10.0.tgz       
method  crc     date  time    compressed uncompressed  ratio uncompressed_name
defla d3db456a Jun 24 12:55        16014       124416  87.1% 20.10.0.tar

# gunzip -lv 20.9.0.tgz 
method  crc     date  time    compressed uncompressed  ratio uncompressed_name
defla d3db456a Jun 24 12:55        15986       124416  87.1% 20.9.0.tar

# file 20.10.0.tgz 
20.10.0.tgz: gzip compressed data, max compression, original size modulo 2^32 124416

# file 20.9.0.tgz 
20.9.0.tgz: gzip compressed data, max compression, original size modulo 2^32 124416

The shasum and integrity are also different:

# nvm use 20.9.0
Now using node v20.9.0 (npm v10.1.0)
# npm pack --json --dry-run | jq -r '.[0]|.shasum,.integrity'
436b67980267bd8e76b3b10c6bafe003e9e5d03d
sha512-/W/ehBBXd1ntYclIepRcTTbGQBfM8JJ58ZFq/UclTOgHmsLadEtIL4AK70XSqOj8iKKvie28RvAjwD3DzblXDw==

# nvm use 20.10.0
Now using node v20.10.0 (npm v10.2.3)
# npm pack --json --dry-run | jq -r '.[0]|.shasum,.integrity'
8e3498a02350e7ac553dc06db49a3a7e5afd18d3
sha512-WgLmVikp330S8GzB38rhr6sp/cNz+GMFaBJxej87yibBlNlC2ttIUpZkE3M+XRuGu8uO9niTp6EDNNbfbs/0ew==

Expected Behavior

Packages built by npm pack should have the same size and integrity if none of the files have changed.

Steps To Reproduce

1. Use nvm to switch between 20.9.0 (or earlier) and 20.10.0 (or later)
2. Run npm pack --json and rename the output packages so you can tell which is which
3. Compare the two JSON outputs to confirm no code changes
4. Compare using other tools (gunzip -lv, file, xxd, etc.) to see the packages are different.

Environment

• npm: v10.2.3
• Node.js: v20.10.0
• OS Name: OSX Sonoma 14.5
• System Model Name: Macbook Pro
• npm config: n/a

  ; node bin location = /Users/user/.nvm/versions/node/v20.10.0/bin/node
  ; node version = v20.10.0
  ; npm local prefix = /Users/user/code/my-project-folder
  ; npm version = 10.2.3
  ; cwd = /Users/user/code/my-project-folder
  ; HOME = /Users/user
  ; Run `npm config ls -l` to show all defaults.

[kellym202445]

nvm use 20.9.0

Now using node v20.9.0 (npm v10.1.0)

npm pack --json --dry-run | jq -r '.[0]|.shasum,.integrity'

436b67980267bd8e76b3b10c6bafe003e9e5d03d sha512-/W/ehBBXd1ntYclIepRcTTbGQBfM8JJ58ZFq/UclTOgHmsLadEtIL4AK70XSqOj8iKKvie28RvAjwD3DzblXDw==

nvm use 20.10.0

Now using node v20.10.0 (npm v10.2.3)

npm pack --json --dry-run | jq -r '.[0]|.shasum,.integrity'

8e3498a02350e7ac553dc06db49a3a7e5afd18d3 sha512-WgLmVikp330S8GzB38rhr6sp/cNz+GMFaBJxej87yibBlNlC2ttIUpZkE3M+XRuGu8uO9niTp6EDNNbfbs/0ew==

[milaninfy]

Don't think this is related to npm version based on below tests.

/workarea/rep $ npx npm@10.6.0 pack --json --dry-run | jq -r '.[0] |{ "sha": .shasum, "int": .integrity, "size": .size, "unpackedSize": .unpackedSize}'
{
  "sha": "3eb3ae661270b4fc978e4b5d3c88f27325bd142a",
  "int": "sha512-VWPG/EdB83QPG2Nun12aZYuB/QzMuV6FQeZ4XGLiVfcT49NKs/Gma5MSqj/y/1AXZNlcjscQAmkkOceAqW2KYw==",
  "size": 278,
  "unpackedSize": 219
}
~/workarea/rep $ npx npm@10.5.0 pack --json --dry-run | jq -r '.[0] |{ "sha": .shasum, "int": .integrity, "size": .size, "unpackedSize": .unpackedSize}'
{
  "sha": "3eb3ae661270b4fc978e4b5d3c88f27325bd142a",
  "int": "sha512-VWPG/EdB83QPG2Nun12aZYuB/QzMuV6FQeZ4XGLiVfcT49NKs/Gma5MSqj/y/1AXZNlcjscQAmkkOceAqW2KYw==",
  "size": 278,
  "unpackedSize": 219
}
~/workarea/rep $ npx npm@10.4.0 pack --json --dry-run | jq -r '.[0] |{ "sha": .shasum, "int": .integrity, "size": .size, "unpackedSize": .unpackedSize}'
{
  "sha": "3eb3ae661270b4fc978e4b5d3c88f27325bd142a",
  "int": "sha512-VWPG/EdB83QPG2Nun12aZYuB/QzMuV6FQeZ4XGLiVfcT49NKs/Gma5MSqj/y/1AXZNlcjscQAmkkOceAqW2KYw==",
  "size": 278,
  "unpackedSize": 219
}
~/workarea/rep $ npx npm@10.3.0 pack --json --dry-run | jq -r '.[0] |{ "sha": .shasum, "int": .integrity, "size": .size, "unpackedSize": .unpackedSize}'
{
  "sha": "3eb3ae661270b4fc978e4b5d3c88f27325bd142a",
  "int": "sha512-VWPG/EdB83QPG2Nun12aZYuB/QzMuV6FQeZ4XGLiVfcT49NKs/Gma5MSqj/y/1AXZNlcjscQAmkkOceAqW2KYw==",
  "size": 278,
  "unpackedSize": 219
}
~/workarea/rep $ npx npm@10.2.0 pack --json --dry-run | jq -r '.[0] |{ "sha": .shasum, "int": .integrity, "size": .size, "unpackedSize": .unpackedSize}'
{
  "sha": "3eb3ae661270b4fc978e4b5d3c88f27325bd142a",
  "int": "sha512-VWPG/EdB83QPG2Nun12aZYuB/QzMuV6FQeZ4XGLiVfcT49NKs/Gma5MSqj/y/1AXZNlcjscQAmkkOceAqW2KYw==",
  "size": 278,
  "unpackedSize": 219
}
~/workarea/rep $ npx npm@10.1.0 pack --json --dry-run | jq -r '.[0] |{ "sha": .shasum, "int": .integrity, "size": .size, "unpackedSize": .unpackedSize}'
{
  "sha": "3eb3ae661270b4fc978e4b5d3c88f27325bd142a",
  "int": "sha512-VWPG/EdB83QPG2Nun12aZYuB/QzMuV6FQeZ4XGLiVfcT49NKs/Gma5MSqj/y/1AXZNlcjscQAmkkOceAqW2KYw==",
  "size": 278,
  "unpackedSize": 219
}
~/workarea/rep $ node -v
v22.7.0