feat(npx): switch from npm to npx to isolate dependencies

Author: thomasleplus

.github/dependabot.yml

@@ -15,6 +15,14 @@ updates:
       default-days: 7
     commit-message:
       prefix: build(deps)
+  - package-ecosystem: "npm"
+    directory: "/yaml"
+    schedule:
+      interval: "daily"
+    cooldown:
+      default-days: 7
+    commit-message:
+      prefix: build(deps)
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:

README.md

@@ -67,6 +67,12 @@ popular formats like:
 - Java .properties files (e.g. yq)
 - Microsoft Windows INI files (e.g. yq)
 
+## NPM Packages
+
+Use the `npx` command to run command-line tools coming from npm
+packages. This ensures isolation between the different packages
+(including potentially conflicting dependencies).
+
 ## Software Bill of Materials (SBOM)
 
 To get the SBOM for the latest image (in SPDX JSON format), use the

yaml/Dockerfile

@@ -34,9 +34,11 @@ RUN pipx ensurepath --global \
     && xargs -a /tmp/requirements.txt -n 1 pipx install --global \
     && rm -f /tmp/requirements.txt
 
-RUN npm install -g \
-    prettier@3.6.2 \
-    v8r@5.1.0
+COPY package.json /tmp/package.json
+
+RUN jq -r '.dependencies | to_entries[] | "\(.key)@\(.value)"' /tmp/package.json \
+    | xargs -n 1 npm install -g \
+    && rm -f /tmp/package.json
 
 RUN adduser \
   --home "${USER_HOME}" \

yaml/docker-compose.test.yml

@@ -21,10 +21,10 @@ services:
         jq --version # jq
         pip --version # py3-pip
         pipx --version # pipx
-        prettier --version # prettier
+        npx prettier --version # prettier
         python --version # python3
         remarshal --version # remarshal
-        v8r --version # v8r
+        npx v8r --version # v8r
         yaml-paths --version # yamlpath
         yamllint --version # yamllint
         yq --version # yq-go

yaml/package.json

@@ -0,0 +1,6 @@
+{
+  "dependencies": {
+    "prettier": "3.6.2",
+    "v8r": "5.1.0"
+  }
+}