Skip to content

build: use version control lockfile of package dependencies for development#2551

Open
zimeg wants to merge 2 commits intomainfrom
zimeg-build-lockfile
Open

build: use version control lockfile of package dependencies for development#2551
zimeg wants to merge 2 commits intomainfrom
zimeg-build-lockfile

Conversation

@zimeg
Copy link
Copy Markdown
Member

@zimeg zimeg commented Apr 13, 2026

Summary

This PR uses a version controlled lockfile of package dependencies for development to guard against drift in development and supply chain attacks for #2541 🔏

Notes

  • This lockfile is not included with published packages so we are not binding versions with this change:

package-lock.json cannot be published...

🔗 https://docs.npmjs.com/cli/v11/configuring-npm/package-lock-json

Requirements

@zimeg zimeg self-assigned this Apr 13, 2026
@zimeg zimeg requested a review from a team as a code owner April 13, 2026 19:04
@zimeg zimeg added semver:patch security dependencies Pull requests that update a dependency file labels Apr 13, 2026
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 13, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 56ac0d5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 13, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.42%. Comparing base (175dcb8) to head (56ac0d5).
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2551   +/-   ##
=======================================
  Coverage   87.42%   87.42%           
=======================================
  Files          62       62           
  Lines       10249    10249           
  Branches      415      415           
=======================================
  Hits         8960     8960           
  Misses       1268     1268           
  Partials       21       21
Flag Coverage Δ
cli-hooks 87.42% <ø> (ø)
cli-test 87.42% <ø> (ø)
logger 87.42% <ø> (ø)
oauth 87.42% <ø> (ø)
socket-mode 87.42% <ø> (ø)
web-api 87.42% <ø> (ø)
webhook 87.42% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zimeg zimeg linked an issue Apr 13, 2026 that may be closed by this pull request
Commit a lockfile to protect against supply chain attacks #2541
Open
WilliamBergamin
WilliamBergamin approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@WilliamBergamin WilliamBergamin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to confirm we are including this only at the top level, not individual package level? 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@WilliamBergamin WilliamBergamin WilliamBergamin approved these changes

Assignees

@zimeg zimeg

Labels

dependencies Pull requests that update a dependency file security semver:patch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Commit a lockfile to protect against supply chain attacks

2 participants

@zimeg @WilliamBergamin