feat(npx): switch from npm to npx to isolate dependencies

thomasleplus · thomasleplus · commit 09c660721a2d · 2025-11-10T18:28:13.000+01:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -15,6 +15,14 @@ updates:
       default-days: 7
     commit-message:
       prefix: build(deps)
+  - package-ecosystem: "npm"
+    directory: "/json"
+    schedule:
+      interval: "daily"
+    cooldown:
+      default-days: 7
+    commit-message:
+      prefix: build(deps)
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
diff --git a/README.md b/README.md
@@ -58,6 +58,12 @@ To know more command-line options of `jq`:
 docker run --rm --net=none leplusorg/json jq -h
 ```
 
+## NPM Packages
+
+Use the `npx` command to run command-line tools coming from npm
+packages. This ensures isolation between the different packages
+(including potentially conflicting dependencies).
+
 ## Software Bill of Materials (SBOM)
 
 To get the SBOM for the latest image (in SPDX JSON format), use the
diff --git a/json/Dockerfile b/json/Dockerfile
@@ -39,14 +39,11 @@ RUN pipx ensurepath --global \
     && xargs -a /tmp/requirements.txt -n 1 pipx install --global \
     && rm -f /tmp/requirements.txt
 
-RUN npm install -g \
-    jslint@0.12.1 \
-    jsonlint@1.6.3 \
-    jsonpath-plus@10.3.0 \
-    jwt-cli@2.0.0 \
-    prettier@3.6.2 \
-    prettyjson@1.2.5 \
-    v8r@5.1.0
+COPY package.json /tmp/package.json
+
+RUN jq -r '.dependencies | to_entries[] | "\(.key)@\(.value)"' /tmp/package.json \
+    | xargs -n 1 npm install -g \
+    && rm -f /tmp/package.json
 
 RUN adduser \
   --home "${USER_HOME}" \
diff --git a/json/docker-compose.test.yml b/json/docker-compose.test.yml
@@ -16,23 +16,24 @@ services:
         csvsql --version # csvkit
         curl --version # curl
         dasel --version # dasel
-        echo | prettyjson # prettyjson
+        echo | npx prettyjson # prettyjson
         git --version # git
         grep --version # grep
         jf -v # jsonfmt
         jp --version # jp
-        jsonpath-plus <(echo '{}') / # jsonpath-plus
+        npx jsonpath-plus <(echo '{}') / # jsonpath-plus
         jq --version # jq
-        jslint --version # jsonlint
-        jsonlint --help # jsonlint
+        npx jslint --version # jslint
+        npx jsonlint --help # jsonlint
+        echo 'eyJhbGciOiJub25lIn0.e30.' | npx jwt-cli # checkov:skip=CKV_SECRET_9: [JSON Web Token]: not a real secret # jwt-cli
         mlr --version # miller
         npm --version # npm
         openssl --version # openssl
         pandoc --version # pandoc
         pip --version # py3-pip
         pipx --version # pipx
-        prettier --version # prettier
+        npx prettier --version # prettier
         python --version # python3
         remarshal --version # remarshal
-        v8r --version # v8r
+        npx v8r --version # v8r
       '
diff --git a/json/package.json b/json/package.json
@@ -0,0 +1,13 @@
+{
+  "name": "docker-json",
+  "version": "0.0.0",
+  "dependencies": {
+    "jslint": "0.12.1",
+    "jsonlint": "1.6.3",
+    "jsonpath-plus": "10.3.0",
+    "jwt-cli": "2.0.0",
+    "prettier": "3.6.2",
+    "prettyjson": "1.2.5",
+    "v8r": "5.1.0"
+  }
+}
