Actually actually (TM) include lockfile in npm artifacts

Previous attempt failed by design of `npm pack` / `npm publish`, as documented at https://docs.npmjs.com/cli/v6/configuring-npm/package-lock-json : > One key detail about package-lock.json is that it cannot be published, > and it will be ignored if found in any place other than the toplevel > package. It shares a format with npm-shrinkwrap.json, which is > essentially the same file, but allows publication. > > This is not recommended unless deploying a CLI tool or otherwise using > the publication process for producing production packages. , and we are a CLI tool. Switching to shrinkwrap.
pupunzi · Sep 25, 2021 · 561beda · 561beda
1 parent 8fdceee
commit 561beda
Show file tree

Hide file tree

Showing 7 changed files with 230 additions and 225 deletions.
diff --git a/.gitignore b/.gitignore
@@ -11,6 +11,8 @@ built-tests
 !app/lib/.placeholder
 
 dist
+package-lock.json
+app/package-lock.json
 
 # Logs
 logs

diff --git a/.npmignore b/.npmignore
@@ -1,7 +1,7 @@
 /*
 !lib/
 !icon-scripts
-!package-lock.json
+!npm-shrinkwrap.json
 .DS_Store
 src/
 *eslintrc.js
@@ -19,5 +19,5 @@ app/*
 !app/inject/
 !app/nativefier.json
 !app/package.json
-!app/package-lock.json
+!app/npm-shrinkwrap.json
 .vscode/
diff --git a/.npmrc b/.npmrc
@@ -0,0 +1 @@
+package-lock=false
diff --git a/HACKING.md b/HACKING.md
@@ -151,9 +151,9 @@ The best time to do package upgrades is now / progressively, because:
 
 So: do upgrade CLI & App deps regularly! Our release script will remind you about it.
 
-### Deps lockfile
+### Deps lockfile / shrinkwrap
 
-We do use lockfiles (`package-lock.json` & `app/package-lock.json`), for:
+We do use lockfiles (`npm-shrinkwrap.json` & `app/npm-shrinkwrap.json`), for:
 
 1. Security (avoiding supply chain attacks)
 2. Reproducibility
@@ -162,6 +162,11 @@ We do use lockfiles (`package-lock.json` & `app/package-lock.json`), for:
 It means you might have to update these lockfiles when adding a dependency.
 `npm run relock` will help you with that.
 
+Note: we do use `npm-shrinkwrap.json` rather than `package-lock.json` because
+the latter is tailored to libraries, and is not publishable.
+As [documented](https://docs.npmjs.com/cli/v6/configuring-npm/shrinkwrap-json),
+CLI tools like Nativefier should use shrinkwrap.
+
 ### Release
 
 While on `master`, with no uncommitted changes, run:

diff --git a/app/package-lock.json → app/npm-shrinkwrap.json b/app/package-lock.json → app/npm-shrinkwrap.json
-Original file line number
+Diff line change
@@ Expand Up / @@ -11,6 +11,8 @@ built-tests @@
     !app/lib/.placeholder
     dist
+    package-lock.json
+    app/package-lock.json
     # Logs
     logs
@@ Expand Down @@