Use lockfile-lint to vet package-lock.json (#1348)

ericcornelissen · Dec 20, 2023 · 5477611 · 5477611
1 parent 95387a1
commit 5477611
Show file tree

Hide file tree

Showing 3 changed files with 310 additions and 2 deletions.
diff --git a/.github/workflows/config-npm.yml b/.github/workflows/config-npm.yml
@@ -4,12 +4,14 @@ on:
     paths:
       - .github/workflows/config-npm.yml
       - package.json
+      - package-lock.json
   push:
     branches:
       - main
     paths:
       - .github/workflows/config-npm.yml
       - package.json
+      - package-lock.json
 
 permissions: read-all
 
@@ -43,3 +45,32 @@ jobs:
         run: npm clean-install
       - name: Validate package.json
         run: npm run vet:package.json
+  package-lock-json:
+    name: package-lock.json
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            actions-results-receiver-production.githubapp.com:443
+            api.github.com:443
+            artifactcache.actions.githubusercontent.com:443
+            github.com:443
+            gitlab.com:443
+            nodejs.org:443
+            objects.githubusercontent.com:443
+            registry.npmjs.org:443
+      - name: Checkout repository
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - name: Install Node.js
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        with:
+          cache: npm
+          node-version-file: .nvmrc
+      - name: Install dependencies
+        run: npm clean-install
+      - name: Validate package-lock.json
+        run: npm run vet:package-lock.json
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -83,6 +83,7 @@
     "is-ci": "3.0.1",
     "knip": "3.0.2",
     "licensee": "10.0.0",
+    "lockfile-lint": "4.12.1",
     "markdownlint-cli": "0.38.0",
     "nve": "17.0.0",
     "prettier": "3.1.1",
@@ -140,8 +141,9 @@
     "test:unit": "ava test/unit/**/*.test.js",
     "transpile": "rollup --config config/rollup.js && node script/create-d-cts.js",
     "verify": "npm run format:check && npm run license-check && npm run lint && npm run coverage && npm run vet",
-    "vet": "npm run vet:deps && npm run vet:package.json",
+    "vet": "npm run vet:deps && npm run vet:package.json && npm run vet:package-lock.json",
     "vet:deps": "knip --config config/knip.jsonc",
-    "vet:package.json": "publint --strict && attw --pack ."
+    "vet:package.json": "publint --strict && attw --pack .",
+    "vet:package-lock.json": "lockfile-lint --path package-lock.json --allowed-hosts npm gitlab.com --validate-https"
   }
 }