package-lock.json is basically impossible to manually review but we
still have to do some form of basic checking on its contents.
I'd like to introduce a small, conservative tool that does *some* of
these checks for of us. package-lock-lint currently checks that:
* package-lock.json is using lockfileVersion 1 or 2 and matches the
* All dependencies resolve to valid URLs (catches )
* All dependencies are downloaded over HTTPS/SSH (not insecure)
* Not depending upon the typo but real "-" package
Even if all of these are passing, it does not guarantee that the
modified package-lock.json is good, however any failure in these checks
is a sign something is wrong.
This code has been running as part of LibUp since May and has caught
instances where dependencies were being downloaded over HTTP as well
as bugs in npm that would've caused LibUp to submit buggy patches.
If there are no concerns, I would like to enable running this tool in
all instances where CI installs stuff from npm.
The main Phabricator bug for this is
<https://phabricator.wikimedia.org/T242058>, thanks to James_F for
providing input and advice on the design.