Is your package truly reproducible?
Independently verify whether a published npm package can be faithfully rebuilt from its declared source. Unlike provenance systems that merely associate a package with a build environment, reproduce empirically tests whether the package actually corresponds to its source.
5,000
High-impact packages tested
5.78%
Verified as reproducible
3.72%
Have provenance attestations
How it works
Instead of relying on metadata alone, reproduce verifies package integrity by attempting to rebuild packages from their linked source repositories.
- 1
Fetch
Fetches the package's source metadata from the npm registry — repository URL, commit hash, and directory.
- 2
Clone
Clones the source repository at the exact commit linked to the package.
- 3
Build
Runs the package's build steps in a clean environment using configurable strategies.
- 4
Compare
Compares the resulting artifact with the actual published npm package to verify integrity.
Verify Package Integrity
Determines whether a package can be reproduced from its referenced repository metadata — including repository URL, type, directory, and gitHead.
Detect Manifest Confusion
Validates repository information against package.json. Mismatching metadata is flagged as potential manifest confusion.
Empirical Verification
Goes beyond provenance metadata by actually rebuilding the package and comparing artifacts. Trust is earned, not assumed.
CLI & Programmatic API
Use it from the command line with vlx or integrate it into your workflows programmatically. Persistent caching included.
Reproducibility vs. Provenance
Provenance tells you where a package claims to come from. Reproducibility proves it.
Get started in seconds
$ vlx reproduce axios --json
{ "reproduced": false,
"strategy": "npm:10.9.1",
"package": { "name": "axios", "version": "1.7.9" },
"source": { "location": "git+https://github.com/axios/axios.git" }
}