Skip to content

feat: verify package-lock.json UTD (up to date) & audited #4598

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 36 commits into
base: main
Choose a base branch
from
Open

feat: verify package-lock.json UTD (up to date) & audited #4598

wants to merge 36 commits into from

Conversation

mfranzke
Copy link
Collaborator

@mfranzke mfranzke commented Jul 22, 2025
edited
Loading

Proposed changes

From time to time we experience out of date package-lock.json files. To prevent that those are resulting out of our local development (as they are unlikely based on dependabot updates), we should enforce that those are quickly checked in git push lifecycle phase.
Additionally running npm audit fix would ensure that some of the easy dependency fixes would get adapted directly.

Types of changes

  • Bugfix (non-breaking change that fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Refactoring (improvements to existing components or architectural decisions)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation Update (if none of the other choices apply)

Further comments

mfranzke added 23 commits July 22, 2025 08:39
@mfranzke
feat: we'd like to provide a quick check regarding
41664a4
@mfranzke
chore: worth a try
eeeea2d
@mfranzke
Revert "chore: worth a try"
cd63f49 
This reverts commit eeeea2d.
@mfranzke
Reapply "chore: worth a try"
45e3a05 
This reverts commit cd63f49.
@mfranzke
refactor: incorrect parameter
9ea15af
@mfranzke
refactor: corrected package-lock file
5f01b94
@mfranzke
chore: another try
52c9f51
@mfranzke
Revert "chore: another try"
0e558d1 
This reverts commit 52c9f51.
@mfranzke
chore: another try
ae9a456
@mfranzke
Revert "chore: another try"
3e6295f 
This reverts commit ae9a456.
@mfranzke
Reapply "chore: another try"
024e42e 
This reverts commit 3e6295f.
@mfranzke
Revert "Reapply "chore: another try""
a8fd3d4 
This reverts commit 024e42e.
@mfranzke
Reapply "Reapply "chore: another try""
b990c9f 
This reverts commit a8fd3d4.
@mfranzke
refactor: modified this file
d0c57f7
@mfranzke
Revert "Reapply "Reapply "chore: another try"""
8d59270 
This reverts commit b990c9f.
@mfranzke
Reapply "Reapply "Reapply "chore: another try"""
21dfc4e 
This reverts commit 8d59270.
@mfranzke
Revert "Reapply "Reapply "Reapply "chore: another try""""
c8e1a6a 
This reverts commit 21dfc4e.
@mfranzke
Reapply "Reapply "Reapply "Reapply "chore: another try""""
db0ebcd 
This reverts commit c8e1a6a.
@mfranzke
chore: another try
921422d
@mfranzke
Revert "chore: another try"
c02b633 
This reverts commit 921422d.
@mfranzke
chore: another try
b79000f
@mfranzke
refactor: another try
0fb88bb
@mfranzke
refactor: necessary update
b729283
@mfranzke mfranzke self-assigned this Jul 22, 2025
@mfranzke mfranzke requested a review from nmerget as a code owner July 22, 2025 07:25
@mfranzke mfranzke added the 🍄🆙improvement New feature or request label Jul 22, 2025
@mfranzke mfranzke moved this to 👀 In review in UX Engineering Team Backlog Jul 22, 2025
@mfranzke mfranzke removed their assignment Jul 22, 2025
@mfranzke mfranzke enabled auto-merge (squash) July 22, 2025 07:45
@mfranzke mfranzke requested a review from Copilot July 22, 2025 14:43
Copilot

This comment was marked as outdated.

Sign in to view

@mfranzke mfranzke added the 🍒 cherryPick Code that we should adapt from one repository to another. label Jul 23, 2025
@nmerget
Copy link
Collaborator

nmerget commented Jul 23, 2025
edited
Loading

I think this isn't a good solution.

The package you used just uses npm install --package-lock-only --ignore-scripts to compare the file contents. If we switch to pnpm this package wouldn't work.

Anyways I don't see the problem with npm ci. The first step in our pipeline would fail if the package-lock.json is out of date. This happens sometimes, but most of the time you have to install the dependency to use it in you branch.

Instead of adding this we should consider solving #3372 and move to pnpm. A lot of current problems would be solved with pnpm

@mfranzke
Copy link
Collaborator Author

mfranzke commented Jul 23, 2025
edited
Loading

I think this isn't a good solution.

The package you used just uses npm install --package-lock-only --ignore-scripts to compare the file contents. If we switch to pnpm this package wouldn't work.

Anyways I don't see the problem with npm ci. The first step in our pipeline would fail if the package-lock.json is out of date. This happens sometimes, but most of the time you have to install the dependency to use it in you branch.

Instead of adding this we should consider solving #3372 and move to pnpm. A lot of current problems would be solved with pnpm

I agree with the idea of removing the package, but I also like the idea of an additional check before pushing. We had some more npm ci failures in our pipelines, which could have been prevented by a conditional QA test on our local hosts. It doesn't hurt anyone.

@mfranzke mfranzke requested a review from Copilot July 23, 2025 09:22
Copilot

This comment was marked as outdated.

Sign in to view

@mfranzke mfranzke moved this from 👀 In review to 🏗 In development in UX Engineering Team Backlog Jul 28, 2025
@mfranzke mfranzke marked this pull request as draft July 28, 2025 04:49
auto-merge was automatically disabled July 28, 2025 04:49

Pull request was converted to draft

@mfranzke mfranzke moved this from 🏗 In development to 👀 In review in UX Engineering Team Backlog Aug 1, 2025
@mfranzke mfranzke marked this pull request as ready for review August 1, 2025 20:48
@mfranzke mfranzke enabled auto-merge (squash) August 1, 2025 20:49
@mfranzke mfranzke requested a review from Copilot August 2, 2025 01:31
Copilot
Copilot AI reviewed Aug 2, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds verification to ensure package-lock.json files are up-to-date before pushing changes to prevent out-of-date lock files from being committed. The implementation adds both pre-push and pre-commit hooks to detect and handle package manager file changes.

  • Adds a pre-push hook that detects changes to package manager files and automatically runs install commands to verify lock files are current
  • Adds a lint-staged rule to run npm audit fix on package-lock.json changes during pre-commit
  • Supports both npm and pnpm package managers with automatic detection based on lock file presence

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
.husky/pre-push New pre-push hook script that detects package manager files and runs install commands to verify lock files are up-to-date
.config/.lintstagedrc.js Adds npm audit fix rule for package-lock.json files during pre-commit

@mfranzke mfranzke changed the title feat: verify package-lock.json UTD (up to date) feat: verify package-lock.json UTD (up to date) & audited Aug 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@nmerget nmerget Awaiting requested review from nmerget nmerget is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
🍒 cherryPick Code that we should adapt from one repository to another. 🛠️configuration 🍄🆙improvement New feature or request
Projects
UX Engineering Team Backlog
Status: 👀 In review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mfranzke @nmerget