Build: Pin dev dependencies

Follows-up 06424ba. This ensures
reproducible builds for e.g. minor changes in Rollup or Babel.

Also remove the file trigger from `.github/workflows/reproducible.yaml`
which otherwise triggers on release commits and release branches,
because it seems GitHub interprets release branches/tags as creating
all files, and thus matching all files.

Exclude 3.0.0-alpha.3 because it still committed package-lock.json,
and contained older versions than the working copy I released it with.

.github/workflows/reproducible.yaml

@@ -5,10 +5,6 @@ on:
     - cron: '30 0 * * 1'
   # Or manually
   workflow_dispatch:
-  # Or when developing this workflow
-  push:
-    paths:
-      - .github/workflows/reproducible.yaml
 
 jobs:
   run:

CONTRIBUTING.md

@@ -32,7 +32,7 @@ Foundation's [CLA for QUnit](https://cla.js.foundation/qunitjs/qunit).
 
 For code changes, you'll need to have [Node.js](https://nodejs.org/en/) installed.
 
-Install dependencies in the repository via `npm ci`. Make your code
+Install dependencies in the repository via `npm install`. Make your code
 changes and run `npm test` which will validate the syntax and coding style,
 and run unit and integration tests.
 

RELEASE.md

@@ -34,7 +34,7 @@ Ensure that all changes for this release have been merged into the main branch.
 
 1. Install dev dependencies:
    ```
-   npm ci
+   npm install
    ```
 
 1. Prepare for the release commit, and build release artefacts:

build/reproducible-builds.js

@@ -17,25 +17,34 @@ const tempDir = path.join(__dirname, '../temp', 'reproducible-builds');
 const SRC_REPO = 'https://github.com/qunitjs/qunit.git';
 
 /**
- * Known caveats prior to QUnit 2.17.0:
+ * QUnit 2.17.0 and later are fully reproducible with this script.
  *
- * - Prior to QUnit 2.14.1, file headers included an uncontrolled "current" timestamp.
- *   This would have to be ignored or replaced prior to comparison.
- * - Prior to QUnit 2.14.1, the build wrote files to "/dist" instead of "/qunit".
- * - QUnit 2.15.0 contained some CR (\r) characters in comments from fuzzysort.js,
- *   which get normalized to LF (\n) by Git and npm, but not in the actual builds
- *   and in what we publish to the CDN. This was fixed in [email protected] and [email protected].
+ * Known caveats:
  *
- * QUnit 2.17.0 and later are fully reproducible with this script. Notes:
+ * QUnit 2.14.1 - 2.16.0:
+ *   - File headers included an uncontrolled "current" timestamp.
+ *     This would have to be ignored or replaced prior to comparison.
+ *   - The build wrote files to "/dist" instead of "/qunit".
  *
- * - [email protected] to 2.21.0 were built and published using npm 8 or npm 9.
+ * QUnit 2.15.0:
+ *   - Contained some CR (\r) characters in comments from fuzzysort.js,
+ *     which get normalized to LF (\n) by Git and npm, but not in the actual builds
+ *     and in what we publish to the CDN. This was fixed in [email protected] and [email protected].
  *
+ * QUnit 2.17.0 - 2.21.0:
+ * - These were built and published using npm 8 or npm 9.
  *   In npm 10, upstream changed gzip encoding slightly for the npm-pack tarball (.tgz). This
  *   means a tarball from npm 10+ is not byte-for-byte identical to ones generated by npm 8 or 9.
  *   After gzip-decompression, however, the tar stream is byte-for-byte identical.
  *   Either use npm 8 or 9 to verify these, or verify the tarball after gzip decompression.
+ *
+ * QUnit 3.0.0-alpha.3:
+ * - The package-lock.json file was a few commits behind what was actually released,
+ *   thus reproducing it uees a slightly Rollup/Babel version that outputs with slightly
+ *   different code formatting.
  */
-const VERIFY_COUNT = 3;
+const VERIFY_COUNT = 5;
+const EXCLUDE = ['3.0.0-alpha.3'];
 
 async function buildRelease (version, cacheDir = null) {
   console.log(`... ${version}: checking out the source`);
@@ -56,8 +65,7 @@ async function buildRelease (version, cacheDir = null) {
     QUNIT_BUILD_RELEASE: '1',
     PUPPETEER_CACHE_DIR: path.join(cacheDir, 'puppeteer_download')
   };
-  // Use sync for npm-ci to avoid concurrency bugs with shared cache
-  cp.execFileSync('npm', ['ci'], {
+  cp.execFileSync('npm', ['install'], {
     env: npmEnv,
     cwd: gitDir
   });
@@ -110,6 +118,9 @@ const Reproducible = {
       const data = JSON.parse(await utils.download(cdnIndexUrl));
 
       for (const release of data.qunit.all.slice(0, VERIFY_COUNT)) {
+        if (EXCLUDE.includes(release.version)) {
+          continue;
+        }
         releases[release.version] = {
           cdn: {
             js: {

package.json

@@ -60,14 +60,14 @@
     "tiny-glob": "0.2.9"
   },
   "devDependencies": {
-    "@babel/core": "^7.24.6",
-    "@babel/plugin-external-helpers": "^7.24.6",
-    "@babel/preset-env": "^7.24.6",
+    "@babel/core": "7.25.2",
+    "@babel/plugin-external-helpers": "7.25.9",
+    "@babel/preset-env": "7.25.4",
     "@qunitjs/browserstack-runner": "0.9.5-qunitjs.2",
-    "@rollup/plugin-babel": "^6.0.4",
-    "@rollup/plugin-commonjs": "^26.0.1",
-    "@rollup/plugin-node-resolve": "^15.2.3",
-    "@rollup/plugin-replace": "^5.0.5",
+    "@rollup/plugin-babel": "6.0.4",
+    "@rollup/plugin-commonjs": "26.0.1",
+    "@rollup/plugin-node-resolve": "15.2.3",
+    "@rollup/plugin-replace": "5.0.7",
     "benchmark": "2.1.4",
     "eslint": "^8.57.0",
     "eslint-config-semistandard": "^17.0.0",
@@ -82,18 +82,18 @@
     "eslint-plugin-qunit": "^8.1.1",
     "fixturify": "^3.0.0",
     "fuzzysort": "1.2.1",
-    "grunt": "^1.6.1",
-    "grunt-contrib-connect": "^5.0.0",
-    "grunt-contrib-copy": "^1.0.0",
+    "grunt": "1.6.1",
+    "grunt-contrib-connect": "5.0.0",
+    "grunt-contrib-copy": "1.0.0",
     "grunt-contrib-qunit": "^10.1.1",
-    "grunt-search": "^0.1.8",
+    "grunt-search": "0.1.8",
     "kleur": "4.1.5",
     "npm-reporter": "file:./test/cli/fixtures/npm-reporter",
     "nyc": "^17.0.0",
-    "proxyquire": "^2.0.0",
-    "requirejs": "^2.3.6",
-    "rollup": "^4.18.0",
-    "tap-min": "^3.0.0"
+    "proxyquire": "2.1.3",
+    "requirejs": "2.3.7",
+    "rollup": "4.21.3",
+    "tap-min": "3.0.0"
   },
   "scripts": {
     "build": "rollup -c && grunt copy",

test/benchmark/README.md

@@ -6,7 +6,7 @@ The default is to benchmark the local development version of QUnit.
 
 * Install QUnit for development and generate the release artefact:
   ```
-  qunit$ npm ci
+  qunit$ npm install
   qunit$ npm run build
   ```
 * Link benchmark to local artefact.