Skip to content

fix(nix): derive npm deps from lockfile via importNpmLock#54

Merged
airadier merged 2 commits into
mainfrom
fix/nix-importnpmlock
Jun 18, 2026
Merged

fix(nix): derive npm deps from lockfile via importNpmLock#54
airadier merged 2 commits into
mainfrom
fix/nix-importnpmlock

Conversation

@airadier

Copy link
Copy Markdown
Contributor

Problem

Every Dependabot dependency PR fails the test-nix check with a Nix hash mismatch, e.g.:

error: hash mismatch for sysdig-vscode-ext-vsix-…-npm-deps
To correct the hash mismatch … use "sha256-…"

vsix.nix pins a fixed-output npmDepsHash derived from package-lock.json. Any lockfile change (i.e. every dependency bump) changes that hash, so the build fails until the hash is manually updated — something Dependabot cannot do. This blocks PRs #40, #41, #42, #44, #46 and every future bump.

Fix

Replace the pinned npmDepsHash with importNpmLock, which reads dependencies directly from package-lock.json with no fixed-output hash:

npmDeps = importNpmLock { npmRoot = ./.; };
npmConfigHook = importNpmLock.npmConfigHook;

After this, dependency bumps no longer touch any Nix hash — test-nix stays green on a plain rebase.

Verification

Built locally on macOS against nixpkgs-unstable:

$ nix build .#sysdig-vscode-vsix
…
DONE  Packaged: sysdig-vscode-ext-0.2.16.vsix (198 files, 353.03 KB)

Follow-up

Once merged, the open Dependabot PRs just need @dependabot rebase to go green — no per-PR hash edits.

Replace the pinned npmDepsHash with importNpmLock so the Nix build reads dependencies straight from package-lock.json. Dependency bumps (Dependabot) no longer break test-nix with a hash mismatch and no manual hash update is required. Verified locally: nix build .#sysdig-vscode-vsix packages the vsix successfully.
@airadier airadier requested a review from a team as a code owner June 18, 2026 10:23

@tembleking tembleking left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, can you also remove this part if it's not needed anymore?

rehash-npm-nix:
sd 'npmDepsHash = ".*";' "npmDepsHash = \"$(nix hash convert --to sri $(prefetch-npm-deps ./package-lock.json))\";" vsix.nix

With importNpmLock there is no fixed-output hash to maintain, so remove the rehash-npm-nix just recipe, its pre-commit hook, its call in just update, and the now-unused prefetch-npm-deps devShell package.
@airadier

Copy link
Copy Markdown
Contributor Author

Good catch @tembleking — done in 332ee45. Since there is no longer a fixed-output hash to maintain, I removed the whole rehash machinery, not just the recipe:

  • rehash-npm-nix recipe in the Justfile
  • its call inside just update
  • the rehash pre-commit hook (would have failed once the recipe was gone)
  • the now-unused prefetch-npm-deps package from the devShell

Re-verified locally: nix build .#sysdig-vscode-vsix packages the vsix and the devShell still evaluates.

@airadier airadier enabled auto-merge (squash) June 18, 2026 10:37
@airadier airadier merged commit fff3693 into main Jun 18, 2026
5 checks passed
@airadier airadier deleted the fix/nix-importnpmlock branch June 18, 2026 10:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants