[junon]

Your builds are not reproducible with anything related to npm. Neither npm nor any bundler that I'm aware of guarantees that.

Unless we're not talking about the same reproducibility property. Also I don't know what "hermetic" means in this context but I doubt it's anything that npm solves correctly.

[wickedsickeune]

There is a way, but it's troublesome. Create a docker image with installed node modules. Save it, and from then onwards you have frozen node modules. If you need a new dependency/updated version you need to create a new image and npm i.

[junon]

That's absolutely no different than just installing and not re-installing. Docker adds nothing in this case.

Not re-building doesn't make your build reproducible. It just means that you're... not building. If I save the result of a single iteration of an RNG, I can't claim that the RNG always produces the same result because I saved the result somewhere...

[tekknik]

Where did they say they’re not building? Building your app does not mean you install the modules every time. Some apps are so large they have to be split into chunks / layers anyway. In golang this used to be the way you’d add deps, check the entire source into your version control.

[junon]

Building the same project even without re-installing node modules has absolutely no guarantee of reproducibility.

[tekknik]

Oh please explain what’s different. The entire code chunk is the same. How is that not reproducible?

[junon]

The code being the same != reproducible. Build tools can incorporate e.g. build timestamps into the built artifacts, or randomize the output for e.g. pattern scanning/patch deterrence.

The input is irrelevant. I think you should have a look at what reproducible builds really are before evangelizing them.