Feat/deterministic npm installs#175
Conversation
27dc9dd to
5afb212
Compare
| "@babel/core": "7.29.0", | ||
| "@babel/generator": "7.29.1", | ||
| "@babel/plugin-proposal-decorators": "7.29.0", | ||
| "@babel/plugin-proposal-export-default-from": "7.27.1", | ||
| "@babel/preset-env": "7.29.5", | ||
| "@babel/preset-flow": "7.27.1", | ||
| "@babel/preset-react": "7.28.5", | ||
| "@babel/preset-typescript": "7.28.5", | ||
| "@babel/template": "7.28.6", | ||
| "babel-plugin-ttag": "1.8.16", | ||
| "chalk": "^2.4.2", | ||
| "cross-spawn": "^7.0.6", | ||
| "estree-walker": "^2.0.1", | ||
| "gettext-parser": "^6.0.0", | ||
| "chalk": "2.4.2", | ||
| "cross-spawn": "7.0.6", | ||
| "estree-walker": "2.0.1", | ||
| "gettext-parser": "6.0.0", |
There was a problem hiding this comment.
Pinning regular dependencies doesn't look right to me.
There was a problem hiding this comment.
The pinning helps reduce supply-chain attacks that use the npm version bumping when running npm install + postinstall, such as the recent shai-hulud worm.
With the ^, is there is a non-major poisoned version of any of the dependencies released and anyone runs npm install, they will get it implicitly.
| "@types/babel__template": "^7.0.3", | ||
| "@types/babel__traverse": "^7.0.15", | ||
| "@types/chalk": "^2.2.0", | ||
| "@types/babel__generator": "7.6.2", |
There was a problem hiding this comment.
Are dev dep dumps really needed? why?
|
Thank you for the ping, @aperkaz I don't have permissions to update repo settings, so I can't help with PR auto-assignment. |
|
I'm not an expert wrt. pinning transient deps for command-line tools. |
|
Pinning top-deps is indeed not enough, but it's something 😁 All the dependencies in the tree are pinned into package-lock.json, which keeps track of all versions, their integrity hashes... |
Closes #174.
You can verify that there are no changes to the dependency graph by running
npm cilocally.If there were, the command would fail.