Closed sigJoe closed 1 month ago
Now using node v20.9.0 (npm v10.1.0)
436b67980267bd8e76b3b10c6bafe003e9e5d03d sha512-/W/ehBBXd1ntYclIepRcTTbGQBfM8JJ58ZFq/UclTOgHmsLadEtIL4AK70XSqOj8iKKvie28RvAjwD3DzblXDw==
Now using node v20.10.0 (npm v10.2.3)
8e3498a02350e7ac553dc06db49a3a7e5afd18d3 sha512-WgLmVikp330S8GzB38rhr6sp/cNz+GMFaBJxej87yibBlNlC2ttIUpZkE3M+XRuGu8uO9niTp6EDNNbfbs/0ew==
Don't think this is related to npm version based on below tests.
/workarea/rep $ npx npm@10.6.0 pack --json --dry-run | jq -r '.[0] |{ "sha": .shasum, "int": .integrity, "size": .size, "unpackedSize": .unpackedSize}'
{
"sha": "3eb3ae661270b4fc978e4b5d3c88f27325bd142a",
"int": "sha512-VWPG/EdB83QPG2Nun12aZYuB/QzMuV6FQeZ4XGLiVfcT49NKs/Gma5MSqj/y/1AXZNlcjscQAmkkOceAqW2KYw==",
"size": 278,
"unpackedSize": 219
}
~/workarea/rep $ npx npm@10.5.0 pack --json --dry-run | jq -r '.[0] |{ "sha": .shasum, "int": .integrity, "size": .size, "unpackedSize": .unpackedSize}'
{
"sha": "3eb3ae661270b4fc978e4b5d3c88f27325bd142a",
"int": "sha512-VWPG/EdB83QPG2Nun12aZYuB/QzMuV6FQeZ4XGLiVfcT49NKs/Gma5MSqj/y/1AXZNlcjscQAmkkOceAqW2KYw==",
"size": 278,
"unpackedSize": 219
}
~/workarea/rep $ npx npm@10.4.0 pack --json --dry-run | jq -r '.[0] |{ "sha": .shasum, "int": .integrity, "size": .size, "unpackedSize": .unpackedSize}'
{
"sha": "3eb3ae661270b4fc978e4b5d3c88f27325bd142a",
"int": "sha512-VWPG/EdB83QPG2Nun12aZYuB/QzMuV6FQeZ4XGLiVfcT49NKs/Gma5MSqj/y/1AXZNlcjscQAmkkOceAqW2KYw==",
"size": 278,
"unpackedSize": 219
}
~/workarea/rep $ npx npm@10.3.0 pack --json --dry-run | jq -r '.[0] |{ "sha": .shasum, "int": .integrity, "size": .size, "unpackedSize": .unpackedSize}'
{
"sha": "3eb3ae661270b4fc978e4b5d3c88f27325bd142a",
"int": "sha512-VWPG/EdB83QPG2Nun12aZYuB/QzMuV6FQeZ4XGLiVfcT49NKs/Gma5MSqj/y/1AXZNlcjscQAmkkOceAqW2KYw==",
"size": 278,
"unpackedSize": 219
}
~/workarea/rep $ npx npm@10.2.0 pack --json --dry-run | jq -r '.[0] |{ "sha": .shasum, "int": .integrity, "size": .size, "unpackedSize": .unpackedSize}'
{
"sha": "3eb3ae661270b4fc978e4b5d3c88f27325bd142a",
"int": "sha512-VWPG/EdB83QPG2Nun12aZYuB/QzMuV6FQeZ4XGLiVfcT49NKs/Gma5MSqj/y/1AXZNlcjscQAmkkOceAqW2KYw==",
"size": 278,
"unpackedSize": 219
}
~/workarea/rep $ npx npm@10.1.0 pack --json --dry-run | jq -r '.[0] |{ "sha": .shasum, "int": .integrity, "size": .size, "unpackedSize": .unpackedSize}'
{
"sha": "3eb3ae661270b4fc978e4b5d3c88f27325bd142a",
"int": "sha512-VWPG/EdB83QPG2Nun12aZYuB/QzMuV6FQeZ4XGLiVfcT49NKs/Gma5MSqj/y/1AXZNlcjscQAmkkOceAqW2KYw==",
"size": 278,
"unpackedSize": 219
}
~/workarea/rep $ node -v
v22.7.0
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
Not sure if bug, but I certainly found this unexpected. I was working on some tooling that verified package integrity, and found that packages built on node v20.10.0 (npm v10.2.3) or later are 28 bytes larger and probably a bit different from those created on node v20.9.0 (npm v10.1.0) or earlier.
I confirmed previous behaviour back to node v16.17.1 (npm v8.15.0). New behaviour exists in latest node 22.3.0 (npm v10.8.1).
I didn't see any explicit mention in the documentation, so I figured I'd post and ask if this was intended.
Gzip shows the method deflate and CRC are the same despite having a different compressed size.
The shasum and integrity are also different:
Expected Behavior
Packages built by
npm pack
should have the same size and integrity if none of the files have changed.Steps To Reproduce
npm pack --json
and rename the output packages so you can tell which is whichgunzip -lv
,file
,xxd
, etc.) to see the packages are different.Environment