Can't fetch npm dependencies using prefetch-npm-deps

I’m trying to fetch some npm dependencies using the prefetch-npm-deps package. When I run the command in my flake, it just halts. There is no info as to why it’s failing, it just gets stuck. I think it either has to do with the creation of the cache (readonly file system) or something to do with downloading the files. This is what my default.nix looks like:

{nixpkgs, project, ...}:
with import nixpkgs { system = "x86_64-linux"; };
stdenv.mkDerivation {
    name = "dependencies";
    src = project;
    nativeBuildInputs = [ prefetch-npm-deps ];
    buildPhase = ''
        prefetch-npm-deps package-lock.json $out;
    dontInstall = true;

Does anyone know how I can get this command to work inside a flake? It works fine outside the flake.
I’ve also tried using runCommand and other techniques, they all end up getting stuck.
Also may be worth noting that the repo does have submodules, though I doubt that would change anything.

Are you aware of ?

Yes. I’m also aware that traditionally nix builds don’t have network access. I’ve been reading into fixed derivations but still haven’t resolved my issue. Basically my issue is that I have a git repo that is used as a flake input (non flake repo, just a plain git repo). In order to install the derivation, it needs to build a node package. In order to build the node package I need to provide an output hash for the node dependencies. Generally you would also need to provide a hash for the git repo itself, but nix handles this with the url input and automatically determines the hash. I want to do something similar with the node packages. Because right now, if I run flake update, there is a change that the npmDepsHash will have changed and will break my build. The only solutions I’ve found right now are to build with a fake hash and pull the real hash from the failed build. That’s really janky. I want to be able to take that repo as an input, run the prefetch-npm-deps on the repo, retrieve the expected hash, and use that later on in my build to actually build the package. The only other possible solution I have found is to set sandbox to relaxed, which I would prefer not to do, but may be the only viable way. I will try to update the post to better reflect that.

I recommend against that. If things break with it relaxed, the only fix we can offer is to set it to true again.

Do you know nix-update? that should be able to also update this hash.

You you also just use the flake impurely and just import it from disk.

I’m not to familiar with nix-update. I’m currently trying to do an impure evaluation. That requires the “impure-derivations” feature correct? All my impure derivations fail with this error: cannot operate on an output of the unbuilt derivation

Normal derivations can only depend on fixed output impure derivativions, so that likely does not fix your issue.

I think you are running into IFD, import from derivation.

Okay so if I want to generate this hash dynamically, how do you think I should go about it? Is there a way to do this in the flake inputs themselves? ie: Take that flake input and generate another flake input that contains the cached dependencies? Or is there an impure approach that is easy to do? I can’t seem to find any examples on how to do it. I want the solution to be entirely contained in the flake update or flake build pipeline. I don’t want to run scripts or generate files outside nix that are later used in the pipeline. I don’t mind using an impure approach, but I can’t seem to find any concrete examples on how to do it. Do you know where I can look?

I ended up going with your suggestion and using nix-update. I wish there was an easy way to handle this in flakes or packages, but as of right now this looks like the best solution. Hopefully this sort of functionality can be included with flakes in the future. Thank you for the help!