Track package-lock.json for deterministic builds (#44)

jonathanhefner · claude · web-flow · commit 5e78a1ef059e · 2025-12-01T20:06:32.000Z
* Track package-lock.json for deterministic builds - Remove package-lock.json from .gitignore - Add CI check to verify no private registry URLs in package-lock.json - Add fresh package-lock.json from registry.npmjs.org 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Mark package-lock.json as generated in .gitattributes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1 @@
+package-lock.json linguist-generated=true
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -12,6 +12,9 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Verify no private URLs in package-lock.json
+        run: '! grep -E "\"resolved\": \"https?://" package-lock.json | grep -v registry.npmjs.org'
+
       - uses: oven-sh/setup-bun@v2
         with:
           bun-version: latest
diff --git a/.gitignore b/.gitignore
@@ -1,7 +1,6 @@
 .DS_Store
 dist/
 node_modules/
-package-lock.json
 yarn.lock
 .vscode/
 docs/api/
diff --git a/package-lock.json b/package-lock.json

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+package-lock.json linguist-generated=true`