Mailing List Archive

Have CI perform basic checks on package-lock.json
Hi,

package-lock.json is basically impossible to manually review but we
still have to do some form of basic checking on its contents.

I'd like to introduce a small, conservative tool that does *some* of
these checks for of us. package-lock-lint[1] currently checks that:
* package-lock.json is using lockfileVersion 1 or 2 and matches the
basic schema.
* All dependencies resolve to valid URLs (catches [2])
* All dependencies are downloaded over HTTPS/SSH (not insecure)
* Not depending upon the typo but real "-" package

Even if all of these are passing, it does not guarantee that the
modified package-lock.json is good, however any failure in these checks
is a sign something is wrong.

This code has been running as part of LibUp since May and has caught
instances where dependencies were being downloaded over HTTP[3] as well
as bugs in npm that would've caused LibUp to submit buggy patches.

If there are no concerns, I would like to enable running this tool in
all instances where CI installs stuff from npm.

The main Phabricator bug for this is
<https://phabricator.wikimedia.org/T242058>, thanks to James_F for
providing input and advice on the design.

[1] https://gitlab.com/legoktm/package-lock-lint
[2] https://phabricator.wikimedia.org/T278857
[3] https://gerrit.wikimedia.org/r/q/topic:%2522package-lock-https%2522

Thanks,
-- Legoktm
_______________________________________________
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-leave@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/