Skip to content

chore: add package-lock.json (supply chain security)#6

Open
vbatanov wants to merge 1 commit intomasterfrom
chore/add-lockfile
Open

chore: add package-lock.json (supply chain security)#6
vbatanov wants to merge 1 commit intomasterfrom
chore/add-lockfile

Conversation

@vbatanov
Copy link
Copy Markdown

@vbatanov vbatanov commented Apr 24, 2026

Summary

Adds a committed package-lock.json as part of the Node.js Supply Chain Security initiative.

Without a lockfile, every npm install / yarn install can silently resolve a different version of any dependency - including transitive ones. This makes builds non-deterministic and prevents meaningful audit results.

What was done

  • Detected package manager: npm

  • Detected Node.js version: 20

  • Generated lockfile inside an isolated node:20 Docker container with --ignore-scripts

  • If peer dep conflicts were detected, --legacy-peer-deps was applied automatically

  • No production code was changed

How to validate

git checkout chore/add-lockfile
npm ci   # or: yarn install --frozen-lockfile / pnpm install --frozen-lockfile

Next steps

Once this merges, the repo is unblocked for:

  • npm audit --audit-level=high in CI
  • Socket Firewall enrollment

Generated with Claude Code via /lockfile-pr

chore: add package-lock.json
ad28000 
Generated by /lockfile-pr skill as part of the Node.js Supply Chain Security initiative.
Adds deterministic dependency resolution - a prerequisite for npm audit and Socket Firewall rollout.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vbatanov