Hi,
package-lock.json is basically impossible to manually review but we still have to do some form of basic checking on its contents.
I'd like to introduce a small, conservative tool that does *some* of these checks for of us. package-lock-lint[1] currently checks that: * package-lock.json is using lockfileVersion 1 or 2 and matches the basic schema. * All dependencies resolve to valid URLs (catches [2]) * All dependencies are downloaded over HTTPS/SSH (not insecure) * Not depending upon the typo but real "-" package
Even if all of these are passing, it does not guarantee that the modified package-lock.json is good, however any failure in these checks is a sign something is wrong.
This code has been running as part of LibUp since May and has caught instances where dependencies were being downloaded over HTTP[3] as well as bugs in npm that would've caused LibUp to submit buggy patches.
If there are no concerns, I would like to enable running this tool in all instances where CI installs stuff from npm.
The main Phabricator bug for this is https://phabricator.wikimedia.org/T242058, thanks to James_F for providing input and advice on the design.
[1] https://gitlab.com/legoktm/package-lock-lint [2] https://phabricator.wikimedia.org/T278857 [3] https://gerrit.wikimedia.org/r/q/topic:%2522package-lock-https%2522
Thanks, -- Legoktm