Skip to content

chore(deps): pin npm dependencies to exact lockfile versions#512

Open
tolzhabayev wants to merge 1 commit into
mainfrom
chore/pin-npm-deps
Open

chore(deps): pin npm dependencies to exact lockfile versions#512
tolzhabayev wants to merge 1 commit into
mainfrom
chore/pin-npm-deps

Conversation

@tolzhabayev
Copy link
Copy Markdown
Contributor

@tolzhabayev tolzhabayev commented May 19, 2026

Summary

  • Replace semver ranges in `dependencies` and `devDependencies` with the exact versions already resolved in `package-lock.json`. Direct deps will no longer drift across reinstalls.
  • Harden `.npmrc` with supply-chain settings:
    • `allow-git=none` (block git dependencies)
    • `ignore-scripts=true` (was already set, kept)
    • `min-release-age=3` (only install packages at least 3 days old)
  • `peerDependencies` and `optionalDependencies` are intentionally left as ranges. Specifiers using `file:`, `link:`, `workspace:`, `git+`, `npm:` (alias), `http(s):`, or `*` / `latest` are also untouched.

Generated by a script that reads `package-lock.json` and rewrites every `package.json`'s direct dep ranges to the resolved version. `npm install` after the change is a no-op (no resolved versions changed).

Test plan

  • CI green
  • `npm install` produces no further changes

@tolzhabayev
chore(deps): pin npm dependencies and harden .npmrc
d662faf 
Replace semver ranges in dependencies and devDependencies with the exact
versions already resolved by package-lock.json. Direct deps no longer
drift across reinstalls.

Also harden .npmrc with supply-chain settings:
- allow-git=none (block git dependencies)
- ignore-scripts=true (was already set, kept)
- min-release-age=3 (only install packages at least 3 days old)
@tolzhabayev tolzhabayev requested a review from a team as a code owner May 19, 2026 13:00
@tolzhabayev tolzhabayev self-assigned this May 19, 2026
@tolzhabayev tolzhabayev requested a review from jackw May 19, 2026 13:00
@github-project-automation github-project-automation Bot moved this from 📬 Triage to 🔬 In review in Grafana Catalog Team May 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leventebalogh leventebalogh leventebalogh approved these changes

@gtk-grafana gtk-grafana gtk-grafana approved these changes

@leeoniya leeoniya Awaiting requested review from leeoniya leeoniya is a code owner automatically assigned from grafana/dataviz-squad

@jesdavpet jesdavpet Awaiting requested review from jesdavpet jesdavpet is a code owner automatically assigned from grafana/dataviz-squad

@jackw jackw Awaiting requested review from jackw

Assignees

@tolzhabayev tolzhabayev

Labels

None yet

Projects

Grafana Catalog Team
Status: 🔬 In review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tolzhabayev @leventebalogh @gtk-grafana