Add npm dependencies with lockfile

Add pacote (at v11.1.11) as a proper npm dependency because it was being installed in CI dynamically. It is added as a devDependency because users of the package do not need it so shouldn't be included for them. Accordingly, update CI pipelines to use `npm clean-install`, which will install exactly what is in the lockfile, for more details see: <https://docs.npmjs.com/cli/v10/commands/npm-ci>. This change hardens the supply chain. Before, even if you trust npm to be immutable and always give you the same code for pacote, it would resolve different versions of transitive dependencies (evidenced by the presence of version ranges in the dependency list for pacote in the newly added lockfile, line 1294 to 1314).
monperrus · Apr 5, 2024 · 055e7f7 · 055e7f7
1 parent 951462f
commit 055e7f7
Show file tree

Hide file tree

Showing 4 changed files with 1,800 additions and 3 deletions.
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -27,7 +27,7 @@ jobs:
         with:
           node-version: 20
           registry-url: https://registry.npmjs.org/
-      - run: npm install [email protected]
+      - run: npm clean-install
       - run: git checkout .
       - run: npm version --no-git-tag-version `node -e 'pacote=require("pacote");pacote.manifest("crawler-user-agents").then(pkgJson => { console.log(pkgJson.version); });'`
       - run: npm version --no-git-tag-version patch

diff --git a/.travis.yml b/.travis.yml
@@ -4,7 +4,7 @@ python: 3.11.0
 
 install: 
 - pip3 install jsonschema pytest
-- npm install [email protected]
+- npm clean-install
 
 script:
 - set -e