feat(npx): switch from npm to npx to isolate dependencies (#321)

thomasleplus · web-flow · commit be569cb8c32a · 2025-11-10T19:19:07.000+01:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -24,6 +24,14 @@ updates:
       default-days: 7
     commit-message:
       prefix: build(deps)
+  - package-ecosystem: "npm"
+    directory: "/xml"
+    schedule:
+      interval: "daily"
+    cooldown:
+      default-days: 7
+    commit-message:
+      prefix: build(deps)
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
diff --git a/README.md b/README.md
@@ -66,6 +66,12 @@ To know more command-line options of `xmllint`:
 docker run --rm --net=none leplusorg/xml xmllint --help
 ```
 
+## NPM Packages
+
+Use the `npx` command to run command-line tools coming from npm
+packages. This ensures isolation between the different packages
+(including potentially conflicting dependencies).
+
 ## Software Bill of Materials (SBOM)
 
 To get the SBOM for the latest image (in SPDX JSON format), use the
diff --git a/xml/Dockerfile b/xml/Dockerfile
@@ -25,6 +25,7 @@ RUN apk upgrade --no-cache \
     git=2.49.1-r0 \
     grep=3.12-r0 \
     html-xml-utils=8.7-r0 \
+    jq=1.8.0-r0 \
     libxml2-utils=2.13.9-r0 \
     libxslt=1.1.43-r3 \
     maven=3.9.9-r0 \
@@ -48,9 +49,11 @@ RUN pipx ensurepath --global \
     && xargs -a /tmp/requirements.txt -n 1 pipx install --global \
     && rm -f /tmp/requirements.txt
 
-RUN npm install -g \
-    prettier@3.6.2 \
-    v8r@5.1.0
+COPY package.json /tmp/package.json
+
+RUN jq -r '.dependencies | to_entries[] | "\(.key)@\(.value)"' /tmp/package.json \
+    | xargs -n 1 npm install -g \
+    && rm -f /tmp/package.json
 
 RUN mkdir -p /opt/saxon
 
diff --git a/xml/docker-compose.test.yml b/xml/docker-compose.test.yml
@@ -20,13 +20,15 @@ services:
         grep --version # grep
         java --version # openjdk21-jre-headless
         jf -v # jsonfmt
+        jq --version # jq
         mvn --version # maven
         pandoc --version # pandoc
         pip --version # py3-pip
         pipx --version # pipx
-        prettier --version # prettier
+        npx prettier --version # prettier
         python --version # python3
         remarshal --version # remarshal
+        npx v8r --version # v8r
         xmlindent -v # xmlindent
         xmllint --version # libxml2-utils
         xmlsec1 --version # xmlsec
diff --git a/xml/package.json b/xml/package.json
@@ -0,0 +1,9 @@
+{
+  "name": "docker-xml",
+  "version": "1.0.0",
+  "description": "XML processing tools",
+  "dependencies": {
+    "prettier": "3.6.2",
+    "v8r": "5.1.0"
+  }
+}
