Skip to content

Commit 0f444ae

Browse files
feat!: stop including npm-shrinkwrap.json (#8163)
#### Summary Per https://docs.npmjs.com/cli/v11/configuring-npm/npm-shrinkwrap-json, one of the intended use cases for `npm-shrinkwrap.json` is > command-line tools intended as global installs or devDependencies [For several years](#2223), this is what we've done with Netlify CLI. This has come with... some pushback: #6731. Including from the creator of NPM. On one hand, ensuring dependencies are pinned makes installs deterministic and *helps* with security by preventing certain classes of supply chain vulnerabilities. On the other hand, when vulnerabilities are disclosed and patched, Netlify CLI users cannot benefit from those patches until Netlify CLI maintainers specifically bump them and publish a new release. Users can't even `npm audit fix`. Also, pnpm, yarn, bun, and all package managers other than npm do not respect `npm-shrinkwrap.json` anyway. It also honestly adds some maintenance complexity for us. We have some strange scripts needed to make this work, for example to exclude our own dev dependencies from the file. We've encountered [some strange shrinkwrap-specific bugs](#7769). And reacting quickly to all the incoming CVEs is disruptive. Also, in some cases users may lose out on potential dependency deduping in their tree (and global caching on their machine, with some package managers). **✅ Verdict: remove it.** Closes #6731 Co-authored-by: Eduardo Bouças <mail@eduardoboucas.com>
1 parent 28c958f commit 0f444ae

File tree

3 files changed

+2
-57
lines changed

3 files changed

+2
-57
lines changed

package.json

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,6 @@
99
},
1010
"files": [
1111
"/bin",
12-
"/npm-shrinkwrap.json",
1312
"/scripts",
1413
"/functions-templates",
1514
"/dist"
@@ -52,7 +51,6 @@
5251
"test:integration": "vitest run --retry=3 tests/integration/",
5352
"test:unit": "vitest run tests/unit/",
5453
"postinstall": "node ./scripts/postinstall.js",
55-
"prepublishOnly": "node ./scripts/prepublishOnly.js",
5654
"typecheck": "tsc",
5755
"typecheck:watch": "tsc --watch"
5856
},

scripts/netlifyPackage.js

Lines changed: 2 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,6 @@
11
// @ts-check
2-
import assert from 'node:assert'
3-
import { dirname, resolve } from 'node:path'
4-
import { readFile, stat, writeFile } from 'node:fs/promises'
5-
6-
import execa from 'execa'
2+
import { resolve } from 'node:path'
3+
import { readFile, writeFile } from 'node:fs/promises'
74

85
/**
96
* @import {Package} from "normalize-package-data"
@@ -35,34 +32,13 @@ async function preparePackageJSON() {
3532
...packageJSON.contents,
3633
main: './dist/index.js',
3734
name: 'netlify',
38-
scripts: {
39-
...packageJSON.contents.scripts,
40-
41-
// We don't need the pre-publish script because we expect the work in
42-
// there to be done when publishing the `netlify-cli` package. We'll
43-
// ensure this is the case by throwing if a shrinkwrap file isn't found.
44-
prepublishOnly: undefined,
45-
},
4635
bin: {
4736
npxnetlify: binPath,
4837
},
4938
}
5039

51-
try {
52-
const shrinkwrap = await stat(resolve(packageJSON.path, '../npm-shrinkwrap.json'))
53-
54-
assert.ok(shrinkwrap.isFile())
55-
} catch {
56-
throw new Error('Failed to find npm-shrinkwrap.json file. Did you run the pre-publish script?')
57-
}
58-
5940
console.log(`Writing updated package.json to ${packageJSON.path}...`)
6041
await writeFile(packageJSON.path, `${JSON.stringify(newPackageJSON, null, 2)}\n`)
61-
62-
console.log('Regenerating shrinkwrap file with updated package name...')
63-
await execa('npm', ['shrinkwrap'], {
64-
cwd: dirname(packageJSON.path),
65-
})
6642
}
6743

6844
await preparePackageJSON()

scripts/prepublishOnly.js

Lines changed: 0 additions & 29 deletions
This file was deleted.

0 commit comments

Comments
 (0)