Hi! Thanks for maintaining this action.
I'm a maintainer of apache/infrastructure-actions, where we maintain an allowlist of GitHub Actions that ASF projects are permitted to use. Part of our review process is auditing each action (and each version bump) for supply-chain risk.
While reviewing a Dependabot bump from 23.0.0 → 23.1.0 (apache/infrastructure-actions#784), I noticed the repo doesn't ship a lock file (package-lock.json / npm-shrinkwrap.json).
Would you consider committing one? The reasoning:
- The action is bundled (
dist/index.mjs via ncc), so dist/ is what actually runs at the consumer side. To audit it, a reviewer needs to reproduce the build and compare — that requires a deterministic dependency graph.
- Without a lock file,
npm install resolves transitive dependencies at build time, so two builds of the same source commit can produce different dist/ contents depending on when they were built. That makes reproducibility (and therefore review) harder for downstream consumers.
- A compromised transitive dep at the moment
dist/ is generated could be silently bundled into a release, with no signal to reviewers that anything changed in the source tree.
Adding a package-lock.json (committed to the repo) would let downstream auditors:
- Pin to a known dependency closure for each released SHA.
- Reproduce the
dist/ artifact deterministically.
- Catch unexpected transitive-dep movement via lockfile diffs.
If you'd prefer a different mechanism (e.g. npm-shrinkwrap.json, or pinning all transitives in package.json), that would also work for our purposes — the goal is just a deterministic dependency closure per release.
Happy to send a PR with npm install --package-lock-only and the resulting lock file if that helps. Thanks for considering!
Hi! Thanks for maintaining this action.
I'm a maintainer of apache/infrastructure-actions, where we maintain an allowlist of GitHub Actions that ASF projects are permitted to use. Part of our review process is auditing each action (and each version bump) for supply-chain risk.
While reviewing a Dependabot bump from 23.0.0 → 23.1.0 (apache/infrastructure-actions#784), I noticed the repo doesn't ship a lock file (
package-lock.json/npm-shrinkwrap.json).Would you consider committing one? The reasoning:
dist/index.mjsviancc), sodist/is what actually runs at the consumer side. To audit it, a reviewer needs to reproduce the build and compare — that requires a deterministic dependency graph.npm installresolves transitive dependencies at build time, so two builds of the same source commit can produce differentdist/contents depending on when they were built. That makes reproducibility (and therefore review) harder for downstream consumers.dist/is generated could be silently bundled into a release, with no signal to reviewers that anything changed in the source tree.Adding a
package-lock.json(committed to the repo) would let downstream auditors:dist/artifact deterministically.If you'd prefer a different mechanism (e.g.
npm-shrinkwrap.json, or pinning all transitives inpackage.json), that would also work for our purposes — the goal is just a deterministic dependency closure per release.Happy to send a PR with
npm install --package-lock-onlyand the resulting lock file if that helps. Thanks for considering!