Mailing List Archive

Have CI perform basic checks on package-lock.json

package-lock.json is basically impossible to manually review but we
still have to do some form of basic checking on its contents.

I'd like to introduce a small, conservative tool that does *some* of
these checks for of us. package-lock-lint[1] currently checks that:
* package-lock.json is using lockfileVersion 1 or 2 and matches the
basic schema.
* All dependencies resolve to valid URLs (catches [2])
* All dependencies are downloaded over HTTPS/SSH (not insecure)
* Not depending upon the typo but real "-" package

Even if all of these are passing, it does not guarantee that the
modified package-lock.json is good, however any failure in these checks
is a sign something is wrong.

This code has been running as part of LibUp since May and has caught
instances where dependencies were being downloaded over HTTP[3] as well
as bugs in npm that would've caused LibUp to submit buggy patches.

If there are no concerns, I would like to enable running this tool in
all instances where CI installs stuff from npm.

The main Phabricator bug for this is
<>, thanks to James_F for
providing input and advice on the design.


-- Legoktm
Wikitech-l mailing list --
To unsubscribe send an email to