chore: generate and publish npm-shrinkwrap.json to lock full dependency tree#563
chore: generate and publish npm-shrinkwrap.json to lock full dependency tree#563jonathannorris wants to merge 3 commits intomainfrom
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
devcycle-mcp-server | ec29121 | Apr 10 2026, 01:53 PM |
There was a problem hiding this comment.
Pull request overview
Adds automated npm-shrinkwrap.json generation during publish to fully lock the transitive dependency tree shipped to npm consumers, and pins direct production dependencies to exact versions.
Changes:
- Add a
prepackstep to generatenpm-shrinkwrap.json(and adjustpostpackcleanup). - Pin production dependencies in
package.json(and updateyarn.lockaccordingly). - Add helper scripts for shrinkwrap generation and (future) verification; ignore generated artifacts in
.gitignore.
Reviewed changes
Copilot reviewed 3 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| yarn.lock | Updates lock entries to reflect newly pinned dependency versions/ranges. |
| scripts/verify-shrinkwrap.js | New verifier/cleaner for shrinkwrap contents vs installed node_modules (not wired yet). |
| scripts/generate-shrinkwrap.js | New generator invoked from prepack to create shrinkwrap while protecting yarn.lock. |
| package.json | Adds shrinkwrap generation to prepack, expands postpack cleanup, pins dependencies, adds shrinkwrap script. |
| .gitignore | Ignores generated shrinkwrap/lock artifacts and yarn.lock backup file. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 5 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jonathannorris
force-pushed
the
chore-npm-shrinkwrap
branch
from
bf70fc7 to
ec29121
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 5 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
package.json:169
- The newly added
resolutionsentries don’t match what’s currently inyarn.lock(e.g.viteresolves to7.1.11,lodashresolves to4.17.23, andlodash.templateresolves to4.5.0). With Yarn Berry, this kind of mismatch typically breaks CI installs; either regenerateyarn.lockso it satisfies these resolutions or adjust/remove the resolutions to match the actually resolved versions (and prefer exact versions if the intent is to pin).
"resolutions": {
"axios@npm:^1.13.6": "1.13.6",
"axios@npm:^1.6.0": "1.13.6",
"nanoid@3.3.1": "3.3.8",
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 5 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (!fs.existsSync(YARN_LOCK)) { | ||
| console.error( | ||
| 'Error: yarn.lock not found. Cannot protect it from npm overwrite.', | ||
| ) | ||
| process.exit(1) | ||
| } |
There was a problem hiding this comment.
console is used throughout this script, but ESLint’s JS globals configuration doesn’t declare console (see eslint.config.mjs JS languageOptions.globals). This will trigger no-undef lint errors (note scripts/fetch-install-prompts.js works around this via /* global console */). Add the same global directive here or update the ESLint globals to include console for JS files.
Summary
npm-shrinkwrap.jsongeneration to the publish pipeline via a newprepackstep, locking the full transitive dependency tree to the exact versions resolved at build time^and~ranges) as defense-in-depthscripts/generate-shrinkwrap.jshandles the full flow: generates the lockfile vianpm install --package-lock-only, converts it to shrinkwrap, strips workspace entries (mcp-worker), and protectsyarn.lockfrom npm's Berry-incompatible rewrite via a save/restore in afinallyblockMotivation
package.jsonalready listed/npm-shrinkwrap.jsonin thefilesarray but the file was never generated, so consumers runningnpm install -g @devcycle/cliresolved all caret-ranged transitive deps to whatever was latest at install time. This is the same class of exposure that let the maliciousaxios@1.14.1reach users on March 31. Pinning axios directly in6.3.0only covers one package; the shrinkwrap covers the full tree.