Skip to content

fix: publish shrinkwrap with npm 11#2960

Open
rinatkhaziev wants to merge 1 commit into
trunkfrom
codex/dual-npm-lockfiles
Open

fix: publish shrinkwrap with npm 11#2960
rinatkhaziev wants to merge 1 commit into
trunkfrom
codex/dual-npm-lockfiles

Conversation

@rinatkhaziev

Copy link
Copy Markdown
Contributor

This pull request introduces a new workflow to keep npm-shrinkwrap.json and package-lock.json in sync, ensuring compatibility with both npm 11 and 12. It adds a helper script, corresponding tests, and documentation updates. The CI pipeline now checks for drift between the lockfiles, and the npm publish workflows are updated to use npm 11 for publishing, since npm 12 omits npm-shrinkwrap.json from package tarballs.

Shrinkwrap synchronization and enforcement:

  • Added a new helper script helpers/sync-shrinkwrap.js to copy package-lock.json to npm-shrinkwrap.json and verify they are identical in check mode.
  • Added a test suite __tests__/helpers/sync-shrinkwrap.js to verify the correct behavior of the sync/check script.
  • Introduced check:shrinkwrap and sync:shrinkwrap npm scripts in package.json, and ensured the version script keeps the lockfiles in sync.
  • Updated the CI workflow (.github/workflows/ci.yml) to run the shrinkwrap check as part of validation.

Publishing and documentation updates:

  • Updated the npm publish workflows to use npm 11 and pass the npm-version parameter, ensuring npm-shrinkwrap.json is included in published packages. [1] [2]
  • Improved release documentation in docs/RELEASING.md to explain the dual lockfile approach, the need to use npm 11 for publishing, and how to keep lockfiles synchronized. [1] [2] [3]

@github-actions

Copy link
Copy Markdown
Contributor

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 2 package(s) with unknown licenses.
See the Details below.

License Issues

.github/workflows/npm-publish.yml

PackageVersionLicenseIssue Type
Automattic/vip-actions/npm-publish2aaa92147b086cb0ce2f6b2ea4208bd2489c6509NullUnknown License
Automattic/vip-actions/npm-publish-prerelease2aaa92147b086cb0ce2f6b2ea4208bd2489c6509NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
actions/Automattic/vip-actions/npm-publish 2aaa92147b086cb0ce2f6b2ea4208bd2489c6509 UnknownUnknown
actions/Automattic/vip-actions/npm-publish-prerelease 2aaa92147b086cb0ce2f6b2ea4208bd2489c6509 UnknownUnknown

Scanned Files

  • .github/workflows/npm-publish.yml

@sonarqubecloud

Copy link
Copy Markdown

id-token: write
pull-requests: write
steps:
- uses: Automattic/vip-actions/npm-publish@c8022b66e78461df4f802b935dc0dbb8399f96bc # v0.7.4

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm going to cut a release so the automated updates pull

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

k let's use 438cd00aac2463a2dbfb4a747ad7b1ac67a2575a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants