Built-Using for NodeJS/Javascript packages

To: debian-js@lists.debian.org
Subject: Built-Using for NodeJS/Javascript packages
From: Julian Gilbey <jdg@debian.org>
Date: Thu, 31 Jul 2025 22:25:40 +0100
Message-id: <[🔎] aIvfVOn385plCMDI@d-and-j.net>

[Starting a separate thread for this discussion; this was originally
in a thread about nbdime]

On Thu, Jul 31, 2025 at 02:41:56PM +0200, Jérémy Lal wrote:
> Le jeu. 31 juil. 2025 à 14:31, Julian Gilbey <jdg@debian.org> a écrit :
> [...]
> 
>   Since NodeJS often packs sources together into the resulting
>   dist/index.js (or similar), we should probably make much more use of
>   Built-Using in the NodeJS packages, so that the builds are
>   reproducible, at least at each Debian release time.
> 
> Such bundles are built by their respective packages, which are
> Build-Depended upon.
> Builds are reproducible.

I just rebuilt node-rjsf from source on a Debian testing machine.  The
resulting file /usr/share/nodejs/@rjsf/core/dist/index.js is slightly
different from that in the official 5.12.1+~5.0.1-3 package.  I cannot
reproduce the build, as the bundled React Javascript seems to have
changed slightly in the meantime.  So the build is reproducible to the
mextent that if the environment is identical, the results will be too.
In the case of a system like Python, the resulting scripts in the
binary package are usually just copies of the scripts in the source
package, and dependencies are loaded at runtime.  But that is
frequently not the case with Javascript/NodeJS packages: tools such as
rollup or webpack appear to bundle their sources into a single output
file rather than loading them at runtime.  This can lead to
significant version skew and hard-to-trace bugs when a package is
later rebuilt.

>   Further down the
>   line, it would be good if every time a NodeJS or similar package is
>   updated, all of its reverse dependencies are also automatically
>   rebuilt.
> 
> That would be awesome, however, that would cost a lot of VM.
> Jérémy

This is a good point.  We already do regular complete archive
rebuilding, so this would not be that onerous if it were not done for
every upload.  In testing, there are currently about 1760 JS/NodeJS
source packages, of which only a tiny handful (16) are not
Achitecture: all.  Rebuilding that many packages is not that bad, I
would guess, especially as it would only be needed on one buildd arch,
and most updates only have a small number of reverse dependencies.

Perhaps something like a weekly binary rebuild of this subsystem would
be helpful?  But it would benefit from using Built-Using throughout
the ecosystem to ensure that only the needed packages are rebuilt.  I
know that pkg-js-tools generates a ${nodejs:BuiltUsing} substvar, so
we could probably just use that.  (Alternatively, we could use the
existing Build-Depends fields, but that may not be as useful.)  I'm
not sure why the manpage suggests using XB-Javascript-Built-Using,
though; it should presumably be just Built-Using, as the release
managers use that field to prepare releases.  (I also think there's a
bug in the code that generates this substvar; I've just submitted
#1110204 to the BTS to address this.)

Best wishes,

   Julian

Reply to:

Follow-Ups:
- Re: Built-Using for NodeJS/Javascript packages
  - From: Bastien Roucaries <rouca@debian.org>

Prev by Date: Re: Help with nbdime packaging
Next by Date: Re: Built-Using for NodeJS/Javascript packages
Previous by thread: Re: Help with nbdime packaging
Next by thread: Re: Built-Using for NodeJS/Javascript packages
Index(es):
- Date
- Thread