Merge pull request #1694 from numtide/align-npm-with-nixpkgs

fetchNpmDeps: rename cacheVersion to fetcherVersion

Author: Mic92

lib/fetch-npm-deps.nix

@@ -1,4 +1,4 @@
-# Custom fetchNpmDeps with packument caching support (cacheVersion = 2)
+# Custom fetchNpmDeps with packument caching support (fetcherVersion = 2)
 # This builds a vendored prefetch-npm-deps with packument fetching support,
 # which is needed for npm workspace support.
 # TODO: Remove this once the upstream PR is merged into nixpkgs.
@@ -81,8 +81,8 @@ let
       forceEmptyCache ? false,
       nativeBuildInputs ? [ ],
       npmRegistryOverridesString ? config.npmRegistryOverridesString or "{}",
-      # Cache format version. Set to 2 to enable packument caching for workspace support.
-      cacheVersion ? 1,
+      # Fetcher format version. Set to 2 to enable packument caching for workspace support.
+      fetcherVersion ? 1,
       ...
     }@args:
     let
@@ -136,9 +136,9 @@ let
 
         NIX_NPM_REGISTRY_OVERRIDES = npmRegistryOverridesString;
 
-        # Cache version controls which features are enabled in prefetch-npm-deps
+        # Fetcher version controls which features are enabled in prefetch-npm-deps
         # Version 2+ enables packument fetching for workspace support
-        NPM_CACHE_VERSION = toString cacheVersion;
+        NPM_FETCHER_VERSION = toString fetcherVersion;
 
         SSL_CERT_FILE =
           if

lib/prefetch-npm-deps/src/main.rs

@@ -31,6 +31,56 @@ fn get_packument_url(registry: &str, package_name: &str) -> anyhow::Result<Url>
         .map_err(|e| anyhow!("failed to construct packument URL: {e}"))
 }
 
+/// Normalize packument data to ensure determinism.
+///
+/// Strips volatile fields like `_rev`, `time`, and `modified`.
+/// Filters the `versions` map to only include versions requested in the lockfile.
+fn normalize_packument(
+    package_name: &str,
+    data: &[u8],
+    requested_versions: &HashSet<String>,
+) -> anyhow::Result<Vec<u8>> {
+    let mut json: Value = serde_json::from_slice(data)
+        .map_err(|e| anyhow!("failed to parse packument JSON for {package_name}: {e}"))?;
+
+    let obj = json
+        .as_object_mut()
+        .ok_or_else(|| anyhow!("packument for {package_name} is not a JSON object"))?;
+
+    // Strip volatile top-level fields
+    obj.remove("_rev");
+    obj.remove("time");
+    obj.remove("modified");
+
+    // Filter versions
+    if let Some(Value::Object(versions)) = obj.get_mut("versions") {
+        versions.retain(|version, _| requested_versions.contains(version));
+
+        // Normalize each version object
+        for version_val in versions.values_mut() {
+            if let Some(version_obj) = version_val.as_object_mut() {
+                // Strip fields starting with underscore (volatile/internal)
+                version_obj.retain(|key, _| !key.starts_with('_'));
+                // Strip other often-volatile fields
+                version_obj.remove("gitHead");
+            }
+        }
+    }
+
+    // Filter dist-tags to only point to versions we kept
+    if let Some(Value::Object(tags)) = obj.get_mut("dist-tags") {
+        tags.retain(|_, version_val| {
+            if let Some(version) = version_val.as_str() {
+                requested_versions.contains(version)
+            } else {
+                false
+            }
+        });
+    }
+
+    serde_json::to_vec(&json).map_err(|e| anyhow!("failed to re-serialize packument for {package_name}: {e}"))
+}
+
 /// Fetch and cache packuments (package metadata) for all packages.
 ///
 /// This is needed because npm may query package metadata for optional peer dependencies
@@ -43,60 +93,68 @@ fn get_packument_url(registry: &str, package_name: &str) -> anyhow::Result<Url>
 ///
 /// We cache both versions to ensure cache hits regardless of which header npm uses.
 /// See: pacote/lib/registry.js and @npmcli/arborist/lib/arborist/build-ideal-tree.js
-fn fetch_packuments(cache: &Cache, package_names: HashSet<String>) -> anyhow::Result<()> {
+fn fetch_packuments(
+    cache: &Cache,
+    package_versions: HashMap<String, HashSet<String>>,
+) -> anyhow::Result<()> {
     const CORGI_DOC: &str =
         "application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*";
     const FULL_DOC: &str = "application/json";
 
-    info!("Fetching {} packuments", package_names.len());
-
-    package_names.into_par_iter().try_for_each(|package_name| {
-        let packument_url = get_packument_url("https://registry.npmjs.org", &package_name)?;
-
-        match util::get_url_body_with_retry(&packument_url) {
-            Ok(packument_data) => {
-                // npm's make-fetch-happen uses the URL-encoded form for cache keys
-                // e.g., "https://registry.npmjs.org/@types%2freact-dom" not "@types/react-dom"
-                // We must use the encoded form in both the cache key string AND the metadata URL
-
-                // Cache with corgiDoc header (for initial requests)
-                cache
-                    .put(
-                        format!("make-fetch-happen:request-cache:{packument_url}"),
-                        packument_url.clone(),
-                        &packument_data,
-                        None, // Packuments don't have integrity hashes
-                        Some(ReqHeaders {
-                            accept: String::from(CORGI_DOC),
-                        }),
-                    )
-                    .map_err(|e| {
-                        anyhow!("couldn't insert packument cache entry (corgi) for {package_name}: {e:?}")
-                    })?;
-
-                // Cache with fullDoc header (for workspace/full metadata requests)
-                cache
-                    .put(
-                        format!("make-fetch-happen:request-cache:{packument_url}"),
-                        packument_url.clone(),
-                        &packument_data,
-                        None,
-                        Some(ReqHeaders {
-                            accept: String::from(FULL_DOC),
-                        }),
-                    )
-                    .map_err(|e| {
-                        anyhow!("couldn't insert packument cache entry (full) for {package_name}: {e:?}")
-                    })?;
-            }
-            Err(e) => {
-                // Log but don't fail - some packages might not need packuments
-                info!("Warning: couldn't fetch packument for {package_name}: {e}");
+    info!("Fetching {} packuments", package_versions.len());
+
+    package_versions
+        .into_par_iter()
+        .try_for_each(|(package_name, requested_versions)| {
+            let packument_url = get_packument_url("https://registry.npmjs.org", &package_name)?;
+
+            match util::get_url_body_with_retry(&packument_url) {
+                Ok(packument_data) => {
+                    let normalized_data =
+                        normalize_packument(&package_name, &packument_data, &requested_versions)?;
+
+                    // npm's make-fetch-happen uses the URL-encoded form for cache keys
+                    // e.g., "https://registry.npmjs.org/@types%2freact-dom" not "@types/react-dom"
+                    // We must use the encoded form in both the cache key string AND the metadata URL
+
+                    // Cache with corgiDoc header (for initial requests)
+                    cache
+                        .put(
+                            format!("make-fetch-happen:request-cache:{packument_url}"),
+                            packument_url.clone(),
+                            &normalized_data,
+                            None, // Packuments don't have integrity hashes
+                            Some(ReqHeaders {
+                                accept: String::from(CORGI_DOC),
+                            }),
+                        )
+                        .map_err(|e| {
+                            anyhow!("couldn't insert packument cache entry (corgi) for {package_name}: {e:?}")
+                        })?;
+
+                    // Cache with fullDoc header (for workspace/full metadata requests)
+                    cache
+                        .put(
+                            format!("make-fetch-happen:request-cache:{packument_url}"),
+                            packument_url.clone(),
+                            &normalized_data,
+                            None,
+                            Some(ReqHeaders {
+                                accept: String::from(FULL_DOC),
+                            }),
+                        )
+                        .map_err(|e| {
+                            anyhow!("couldn't insert packument cache entry (full) for {package_name}: {e:?}")
+                        })?;
+                }
+                Err(e) => {
+                    // Log but don't fail - some packages might not need packuments
+                    info!("Warning: couldn't fetch packument for {package_name}: {e}");
+                }
             }
-        }
 
-        Ok::<_, anyhow::Error>(())
-    })
+            Ok::<_, anyhow::Error>(())
+        })
 }
 
 /// `fixup_lockfile` rewrites `integrity` hashes to match cache and removes the `integrity` field from Git dependencies.
@@ -332,12 +390,24 @@ fn main() -> anyhow::Result<()> {
     let cache = Cache::new(out.join("_cacache"));
     cache.init()?;
 
-    // Collect unique package names for packument fetching
-    // Extract from lockfile keys like "node_modules/@scope/name" -> "@scope/name"
-    let package_names: HashSet<String> = packages
-        .iter()
-        .filter_map(|p| p.name.rsplit_once("node_modules/").map(|(_, n)| n.to_string()))
-        .collect();
+    // Collect package names and their versions from the lockfile for packument filtering.
+    // For non-aliased packages: extract from lockfile keys like "node_modules/@scope/name" -> "@scope/name"
+    // For aliased packages: the name is already the real package name (e.g., "string-width" not "string-width-cjs")
+    // We only care about packages that have a version string (registry packages).
+    let mut package_versions: HashMap<String, HashSet<String>> = HashMap::new();
+    for p in &packages {
+        if let Some(version) = &p.version {
+            let pkg_name = p
+                .name
+                .rsplit_once("node_modules/")
+                .map(|(_, name)| name.to_string())
+                .unwrap_or_else(|| p.name.clone());
+            package_versions
+                .entry(pkg_name)
+                .or_default()
+                .insert(version.to_string());
+        }
+    }
 
     // Fetch and cache tarballs
     packages.into_par_iter().try_for_each(|package| {
@@ -359,14 +429,15 @@ fn main() -> anyhow::Result<()> {
         Ok::<_, anyhow::Error>(())
     })?;
 
-    // Fetch and cache packuments (package metadata) - only for cache version 2+
-    let cache_version: u32 = env::var("NPM_CACHE_VERSION")
+    // Fetch and cache packuments (package metadata) - only for fetcher version 2+
+    let fetcher_version: u32 = env::var("NPM_FETCHER_VERSION")
         .ok()
         .and_then(|v| v.parse().ok())
         .unwrap_or(1);
 
-    if cache_version >= 2 {
-        fetch_packuments(&cache, package_names)?;
+    if fetcher_version >= 2 {
+        fetch_packuments(&cache, package_versions)?;
+        fs::write(out.join(".fetcher-version"), format!("{fetcher_version}"))?;
     }
 
     fs::write(out.join("package-lock.json"), lock_content)?;

lib/prefetch-npm-deps/src/parse/lock.rs

@@ -28,7 +28,8 @@ pub(super) fn packages(content: &str) -> anyhow::Result<Vec<Package>> {
             .map(|(n, p)| Package {
                 // Use the package's own name if present (for aliases like string-width-cjs -> string-width),
                 // otherwise extract from the lockfile key
-                name: Some(p.name.unwrap_or(n)),
+                name: Some(p.name.clone().unwrap_or(n)),
+                version: p.version,
                 ..p
             })
             .collect(),
@@ -78,6 +79,7 @@ struct OldPackage {
 pub(super) struct Package {
     #[serde(default)]
     pub(super) name: Option<String>,
+    pub(super) version: Option<UrlOrString>,
     pub(super) resolved: Option<UrlOrString>,
     pub(super) integrity: Option<HashCollection>,
 }
@@ -254,6 +256,7 @@ fn to_new_packages(
 
         new.push(Package {
             name: Some(name),
+            version: None, // v1 lockfiles don't include version in the same structure
             resolved: if matches!(package.version, UrlOrString::Url(_)) {
                 Some(package.version)
             } else {
@@ -315,6 +318,7 @@ mod tests {
         assert_eq!(new.len(), 1, "new packages map should contain 1 value");
         assert_eq!(new[0], Package {
             name: Some(String::from("sqlite3")),
+            version: None,
             resolved: Some(UrlOrString::Url(Url::parse("git+ssh://[email protected]/mapbox/node-sqlite3.git#593c9d498be2510d286349134537e3bf89401c4a").unwrap())),
             integrity: None
         });

lib/prefetch-npm-deps/src/parse/mod.rs

@@ -103,6 +103,7 @@ pub fn lockfile(
 #[derive(Debug)]
 pub struct Package {
     pub name: String,
+    pub version: Option<String>,
     pub url: Url,
     specifics: Specifics,
 }
@@ -123,6 +124,8 @@ impl Package {
             UrlOrString::String(_) => panic!("at this point, all packages should have URLs"),
         };
 
+        let version = pkg.version.map(|v| v.to_string());
+
         let specifics = match get_hosted_git_url(&resolved)? {
             Some(hosted) => {
                 let body = util::get_url_body_with_retry(&hosted)?;
@@ -166,6 +169,7 @@ impl Package {
 
         Ok(Package {
             name: pkg.name.unwrap(),
+            version,
             url: resolved,
             specifics,
         })

packages/amp/hashes.json

@@ -1,5 +1,5 @@
 {
   "version": "0.0.1767484898-g1f43db",
   "sourceHash": "sha256-8YV/xtFqHIQ9q6aC4JVdz0VuuI7XW6lQmKdWznUs6kE=",
-  "npmDepsHash": "sha256-82Jhb7YVbl7+Tq2rW2AcVpeLsM8y86movXHdBK8M3BE="
+  "npmDepsHash": "sha256-leTZHDEVIomq1QPEc7b/KhbumAET8VEsSVKINaBW440="
 }

packages/amp/package.nix

@@ -36,7 +36,7 @@ buildNpmPackage rec {
     inherit src;
     name = "${pname}-${version}-npm-deps";
     hash = versionData.npmDepsHash;
-    cacheVersion = 2;
+    fetcherVersion = 2;
   };
   makeCacheWritable = true;
 

packages/claude-code-acp/package.nix

@@ -21,8 +21,8 @@ buildNpmPackage rec {
   npmDeps = fetchNpmDepsWithPackuments {
     inherit src;
     name = "${pname}-${version}-npm-deps";
-    hash = "sha256-hhPp/1bk9iYHw1EnmMkCyuOaIvina0XRG76WBafLtDw=";
-    cacheVersion = 2;
+    hash = "sha256-S8gNJNWvHhpJYESwq0tjXdDkroG9P4VssJp0LKpPUfA=";
+    fetcherVersion = 2;
   };
   makeCacheWritable = true;
 

packages/claude-code-npm/hashes.json

@@ -1,5 +1,5 @@
 {
   "version": "2.0.76",
   "hash": "sha256-46IqiGJZrZM4vVcanZj/vY4uxFH3/4LxNA+Qb6iIHDk=",
-  "npmDepsHash": "sha256-LkE/7ttRW9Ym2nLRGjDgUgNIsb9b2EB+7tN6vZ+sbwg="
+  "npmDepsHash": "sha256-dlr7rOVBo8G7SZL7VqHHjIuCGNDyLYsgjveF1MkpEsU="
 }

packages/claude-code-npm/package.nix

@@ -35,7 +35,7 @@ buildNpmPackage {
     inherit src;
     name = "claude-code-npm-${version}-npm-deps";
     hash = npmDepsHash;
-    cacheVersion = 2;
+    fetcherVersion = 2;
   };
   makeCacheWritable = true;
 

packages/gemini-cli/package.nix

@@ -30,8 +30,8 @@ buildNpmPackage (finalAttrs: {
   npmDeps = fetchNpmDepsWithPackuments {
     inherit (finalAttrs) src;
     name = "${finalAttrs.pname}-${finalAttrs.version}-npm-deps";
-    hash = "sha256-TFQJ0mLlYQAlDSOuabli9B1nwTyUaIY/jHxT5QFYd4w=";
-    cacheVersion = 2;
+    hash = "sha256-ciOSSqsCOp4FF0hKPHYdjQAGQG9jXGCKkJM5qVdlP90=";
+    fetcherVersion = 2;
   };
   makeCacheWritable = true;