Skip to content

Commit fff3693

Browse files
authored
fix(nix): derive npm deps from lockfile via importNpmLock (#54)
## Problem Every Dependabot dependency PR fails the `test-nix` check with a Nix hash mismatch, e.g.: ``` error: hash mismatch for sysdig-vscode-ext-vsix-…-npm-deps To correct the hash mismatch … use "sha256-…" ``` `vsix.nix` pins a fixed-output `npmDepsHash` derived from `package-lock.json`. Any lockfile change (i.e. every dependency bump) changes that hash, so the build fails until the hash is manually updated — something Dependabot cannot do. This blocks PRs #40, #41, #42, #44, #46 and every future bump. ## Fix Replace the pinned `npmDepsHash` with `importNpmLock`, which reads dependencies directly from `package-lock.json` with no fixed-output hash: ```nix npmDeps = importNpmLock { npmRoot = ./.; }; npmConfigHook = importNpmLock.npmConfigHook; ``` After this, dependency bumps no longer touch any Nix hash — `test-nix` stays green on a plain rebase. ## Verification Built locally on macOS against `nixpkgs-unstable`: ``` $ nix build .#sysdig-vscode-vsix … DONE Packaged: sysdig-vscode-ext-0.2.16.vsix (198 files, 353.03 KB) ``` ## Follow-up Once merged, the open Dependabot PRs just need `@dependabot rebase` to go green — no per-PR hash edits.
1 parent 727ff13 commit fff3693

4 files changed

Lines changed: 7 additions & 11 deletions

File tree

.pre-commit-config.yaml

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,3 @@ repos:
1818
- ts
1919
- json
2020
pass_filenames: false
21-
- id: rehash
22-
name: rehash
23-
language: system
24-
entry: just rehash-npm-nix
25-
pass_filenames: false

Justfile

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,6 @@ update:
1919
nix flake update
2020
nix develop --command pre-commit autoupdate
2121
nix develop --command npm update
22-
nix develop --command just rehash-npm-nix
2322
nix develop --command just update-scanner-version
2423
nix develop --command pinact run -u --diff
2524

@@ -31,6 +30,3 @@ update-scanner-version:
3130
echo "Latest: $latest"
3231
sd "(export const SCANNER_VERSION : string = ')[^']+(';)" "\${1}$latest\${2}" src/config/configScanner.ts
3332
echo "Version updated"
34-
35-
rehash-npm-nix:
36-
sd 'npmDepsHash = ".*";' "npmDepsHash = \"$(nix hash convert --to sri $(prefetch-npm-deps ./package-lock.json))\";" vsix.nix

flake.nix

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,6 @@
7676
nodejs
7777
pinact
7878
pre-commit
79-
prefetch-npm-deps
8079
sd
8180
typescript
8281
typescript-language-server

vsix.nix

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
{
22
buildNpmPackage,
33
clang_20,
4+
importNpmLock,
45
lib,
56
libsecret,
67
pkg-config,
@@ -14,7 +15,12 @@ buildNpmPackage {
1415
pname = "${packageJson.name}-vsix";
1516
version = packageJson.version;
1617
src = ./.;
17-
npmDepsHash = "sha256-07D441mHQIGb9kR6B/JVv/z+Y4bj5W7zI7+xgDP6qqI=";
18+
19+
# Derive npm dependencies directly from package-lock.json instead of pinning
20+
# a fixed-output npmDepsHash. This way dependency bumps (e.g. Dependabot PRs)
21+
# don't require manually updating a hash to keep the Nix build green.
22+
npmDeps = importNpmLock { npmRoot = ./.; };
23+
npmConfigHook = importNpmLock.npmConfigHook;
1824

1925
nativeBuildInputs = [
2026
pkg-config

0 commit comments

Comments
 (0)