USWDS - Bug: Release has bogus file dates

[bkline]

Describe the bug

The tar file for the latest release has files with timestamps back in October 26, 1985.

Steps to reproduce the bug

1. Download https://github.com/uswds/uswds/releases/download/v3.7.1/uswds-uswds-3.7.1.tgz
2. Unpack the tarfile
3. Look at the timestamps on the unpacked file

Expected Behavior

The files in the release tar file correctly reflect the date/time of creation.

Related code

No response

Screenshots

No response

System setup

No response

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct.
• I checked the current issues for duplicate bug reports.

[mejiaj]

Thanks for reporting @bkline!

Confirming on mac OS 14.1.1.

Need to look into possible NPM issue and release script. This is using built-in npm pack, so no security concerns.

uswds/tasks/release.js

Line 37 in 2024488

const zip = spawn("npm", ["pack"]);

[mahoneycm]

It looks like this is actually the intended behavior from the node team based on this issue discussion.

Initial answer

The reason for this was so two separate npm pack calls done from the same commit -- even on separate computers, would be able to generate hash-identical tarballs. We didn't really expect that random software out there would have... pathological issues with old timestamps. We still want to preserve the feature, though, so picking an arbitrary date more recent than 1980 seemed like the way to go. Hopefully there's no more incompatibilities! ¹

Follow-up

We have every intention of keeping the consistent dates going forward because they enable reproducible builds for npm packages. ²

We should discuss what that means for USWDS and if we want to find a way to update this value to eliminate confusion for users who download and unzip the file.

Footnotes

1. https://github.com/npm/npm/issues/19968#issuecomment-372799983 ↩

2. https://github.com/npm/npm/issues/19968#issuecomment-383988984 ↩

[mejiaj]

@mahoneycm thanks for looking into it. You're right, we'll need to discuss whether we continue for find an alternative.

[bkline]

If nothing else, assuming this odd practice is continued, I would strongly suggest a prominent notice explaining the dates which otherwise seem highly suspicious, and suggest tampering.

[mahoneycm]

Since this is intended NPM behavior, we are going to close this ticket and update the website with the following note to inform users:

Note: The file date defaults to October 26, 1985, when you download and install this package. This is intentional. NPM sets a default date to ensure reproducible builds for npm packages.

We will continue to track this work at uswds/uswds-site#2499.

Thank you for flagging @bkline !