npm 5.7.1 pack/publish setting timestamp to epoch #19968
Comments
This is pretty bad. See also acornjs/acorn#680 |
Just to add to the list tj/commander.js#777, according to npmjs.com package was downloaded 2,138,687 times in the last day (not specifically the broken version but has already started causing problems). This is pretty much breaking all development and deployment systems using npm without package-lock.json (or npm-shrinkwrap.json). |
Great Scott! Not the solution I had expected. |
For the curious: We started using |
A new version of the [commander](https://www.npmjs.com/package/commander) package is available. However, there are no functional changes in the release; it is simply a repackaging with an older version of npm to get around a [bug](npm/npm#19968) that had been introduced in npm 5.7.1. This lack of functional changes can be verified by comparing the differences in the codebase between [v2.15.0 and v2.15.1](tj/commander.js@v2.15.0...v2.15.1). Though nothing has changed, it is important to keep the dependency's version number up to date.
A new version of the [commander](https://www.npmjs.com/package/commander) package is available. However, there are no functional changes in the release; it is simply a repackaging with an older version of npm to get around a [bug](npm/npm#19968) that had been introduced in npm 5.7.1. This lack of functional changes can be verified by comparing the differences in the codebase between [v2.15.0 and v2.15.1](tj/commander.js@v2.15.0...v2.15.1). Though nothing has changed, it is important to keep the dependency's version number up to date.
@zkat We're now experiencing packaged files having their lastModified date overwritten with Oct 26th, 1985, which is messing with cache headers. However, it's a bit of an odd one: We have 2
The files in the first package have a correct lastModified date, the files originating from the second Any idea what could be causing this behavior? This is on npm v5.8.0. |
Some further investigation:
So for now I guess we'll stick to 5.6.0. Would you like me to open a separate issue for this? |
@pleunv: this is working as intended. We have every intention of keeping the consistent dates going forward because they enable reproducible builds for npm packages. |
I don't understand, how is this consistent? Depending on some variable I can't figure out (package.json location?) I'm getting all the lastModified timestamps of the installed files reset to epoch (or new equivalent) while the creation date is current. Something has to be affecting this somehow otherwise I would be seeing the same behavior when packaging from the project root, which I'm not. Is there a specific scenario in which this is the expected outcome? Because that would already help me forward. Or, maybe easier: what is supposed to be the default behavior now? Should files be installed in |
Or maybe I'm not explaining it properly, so another attempt 😄 left side: build output, creation & lastModified date = time of build |
@pleunv what you're observing is indeed intended. Can you clarify how this default timestamp is causing you problems? |
The packages are pushed to a static file host, currently used in conjunction with a |
@pleunv the behavior now is that new packages are published with that timestamp, which means that's what you get when you extract, regardless of what version of npm you're extracting from -- what matters is what was used to pack it. My only guess as to your inconsistency is that you're not using the npm version you think you're using to package the toplevel package (keep in mind that if you're doing this in a |
Alright thanks, will give that a try. Guess I'll be looking for a workaround for my caching issue then :) |
@pleunv might I recommend that you use a hash-based caching scheme, or, in lieu of that, have a run-script that |
Hey @zkat, thanks for the tips, will take a look! The backend is not really under my control and the server is running Windows which both complicate things a little bit :) I'm guessing a postinstall script that looks up all files and updates the mdate is probably my best bet for now. I appreciate your time, I understand this repo is very busy :) |
Is there a CommandLine flag to disable his behaviour? We use NPM for internal used packages. And we also use this timestamp for caching purposes. For example: https://docs.npmjs.com/cli/build now states: "Last modified October 26, 1985" |
`npm pack` [briefly published packages with all files set to the Unix epoch](npm/npm#19968 (comment)). This plugin was incorrectly seeing such files as modified.
I'm opening this issue because:
What's going wrong?
npm pack
with 5.7.1 on node 8.9.4 is setting bogus epoch file timestamps.How can the CLI team reproduce the problem?
npm pack
tar ztvf xxx-x.y.z.tgz
Timestamps for all files are like
new Date(0)
with display adjusted for my timezone.supporting information:
npm -v
prints: 5.7.1node -v
prints: v8.9.4npm config get registry
prints: https://registry.npmjs.org/The text was updated successfully, but these errors were encountered: