feat(npx): switch from npm to npx to isolate dependencies (#17)

Author: thomasleplus

.github/dependabot.yml

@@ -15,6 +15,14 @@ updates:
       default-days: 7
     commit-message:
       prefix: build(deps)
+  - package-ecosystem: "npm"
+    directory: "/md"
+    schedule:
+      interval: "daily"
+    cooldown:
+      default-days: 7
+    commit-message:
+      prefix: build(deps)
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:

README.md

@@ -50,6 +50,12 @@ In PowerShell:
 docker run --rm -t --net=none -v "${PWD}:/tmp" leplusorg/md pandoc -o output.html intput.md
 ```
 
+## NPM Packages
+
+Use the `npx` command to run command-line tools coming from npm
+packages. This ensures isolation between the different packages
+(including potentially conflicting dependencies).
+
 ## Software Bill of Materials (SBOM)
 
 To get the SBOM for the latest image (in SPDX JSON format), use the

md/Dockerfile

@@ -23,6 +23,7 @@ RUN apk upgrade --no-cache \
     curl=8.14.1-r2 \
     git=2.49.1-r0 \
     go-md2man=2.0.7-r4 \
+    jq=1.8.0-r0 \
     markdown=1.0.1-r3 \
     npm=11.3.0-r1 \
     pandoc-cli=3.6.4-r0 \
@@ -38,8 +39,11 @@ RUN pipx ensurepath --global \
     && xargs -a /tmp/requirements.txt -n 1 pipx install --global \
     && rm -f /tmp/requirements.txt
 
-RUN npm install -g \
-    [email protected]
+COPY package.json /tmp/package.json
+
+RUN jq -r '.dependencies | to_entries[] | "\(.key)@\(.value)"' /tmp/package.json \
+    | xargs -n 1 npm install -g \
+    && rm -f /tmp/package.json
 
 RUN adduser \
   --home "${USER_HOME}" \

md/docker-compose.test.yml

@@ -19,6 +19,7 @@ services:
         markdown --version # markdown
         mdformat --version # mdformat
         pandoc --version # pandoc
+        npx prettier --version # prettier
         pip --version # py3-pip
         python --version # python3
       '

md/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "docker-md",
+  "version": "0.0.0",
+  "dependencies": {
+    "prettier": "3.6.2"
+  }
+}