Skip to content

Feat/deterministic npm installs#175

Open
aperkaz wants to merge 2 commits into
ttag-org:masterfrom
aperkaz:feat/deterministic-npm-installs
Open

Feat/deterministic npm installs#175
aperkaz wants to merge 2 commits into
ttag-org:masterfrom
aperkaz:feat/deterministic-npm-installs

Conversation

@aperkaz

@aperkaz aperkaz commented May 28, 2026

Copy link
Copy Markdown
Contributor

Closes #174.

You can verify that there are no changes to the dependency graph by running npm ci locally.
If there were, the command would fail.

@aperkaz
aperkaz force-pushed the feat/deterministic-npm-installs branch from 27dc9dd to 5afb212 Compare May 28, 2026 07:05
Comment thread package.json
@aperkaz

aperkaz commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@pelme @AlexMost @dimaqq somehow the PR doesnt assign any reviewers, is there anything I could do about that?
I have other improvement ideas for this package (speed of t`` extractions for example), I would rather contribute the work here than in a fork 🙂

Comment thread package.json
Comment thread package.json
Comment on lines +60 to +73
"@babel/core": "7.29.0",
"@babel/generator": "7.29.1",
"@babel/plugin-proposal-decorators": "7.29.0",
"@babel/plugin-proposal-export-default-from": "7.27.1",
"@babel/preset-env": "7.29.5",
"@babel/preset-flow": "7.27.1",
"@babel/preset-react": "7.28.5",
"@babel/preset-typescript": "7.28.5",
"@babel/template": "7.28.6",
"babel-plugin-ttag": "1.8.16",
"chalk": "^2.4.2",
"cross-spawn": "^7.0.6",
"estree-walker": "^2.0.1",
"gettext-parser": "^6.0.0",
"chalk": "2.4.2",
"cross-spawn": "7.0.6",
"estree-walker": "2.0.1",
"gettext-parser": "6.0.0",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pinning regular dependencies doesn't look right to me.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pinning helps reduce supply-chain attacks that use the npm version bumping when running npm install + postinstall, such as the recent shai-hulud worm.

With the ^, is there is a non-major poisoned version of any of the dependencies released and anyone runs npm install, they will get it implicitly.

Comment thread package.json
"@types/babel__template": "^7.0.3",
"@types/babel__traverse": "^7.0.15",
"@types/chalk": "^2.2.0",
"@types/babel__generator": "7.6.2",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are dev dep dumps really needed? why?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same reason as #175 (comment) 🙂

@dimaqq

dimaqq commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Thank you for the ping, @aperkaz

I don't have permissions to update repo settings, so I can't help with PR auto-assignment.

@dimaqq

dimaqq commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

I'm not an expert wrt. pinning transient deps for command-line tools.
Pinning top-level deps is surely not enough.
Should we ship npm-shrinkwrap.json?
I really dunno what's best.

@aperkaz

aperkaz commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

Pinning top-deps is indeed not enough, but it's something 😁
I added it into the PR as a suggestion, but it's personal preference territory, and I am happy to revert it instead.

All the dependencies in the tree are pinned into package-lock.json, which keeps track of all versions, their integrity hashes...
As long as devs and CI use npm ci instead of npm i, the risk is lower.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Protect against supply chain attacks by pinning package versions

2 participants