govuk-prototype-kit
govuk-prototype-kit copied to clipboard
alphagov
Shrinkwrap dependencies
We want to make try and protect users from supply chain attacks similar to incidents we've seen in the past (specifically rc and ua-parser-js hijacking [1, 2], colors sabotage 3). We can use a shrinkwrap file to do this [4], by distributoing npm-shrinkwrap.json in our package users who install the kit will install the same dependency tree as we develop with, meaning we can audit dependency updates for them.
I thought it would just be a case of running npm shrinkwrap, but of course, with Node.js it's never that simple 🤦
It turns out with older versions of npm there are two major downsides to shrinkwrap; one is that it makes npms deduplication work less well [1], and two is that npm will install dev dependencies from the shrinkwrap file [2]. These problems are likely to affect users with older installations of Node. This will mean users with older versions of npm will get a larger node_modules folder than necessary. The kit should still work fine though.
Another fun issue is that Node 12 and 14 still ship with those older versions of npm, and in our tests another issue with shrinkwrap breaks the kit installation script. It seems that npm@6 doesn't like it when we install a directory with a shrinkwrap file 🤷 But it can handle installing a tarball with a shrinkwrap file. So if we want to use shrinkwrap and keep the install script the way it is we could change our tests to use a tarball, or upgrade npm before running our CI tests, or stop testing Node 12 and 14.
I'm putting this in blocked until we've made a decision on what versions of Node we support (#1124).
We've dropped support for Node 12 and 14 (see #1753), which means testing this change is no longer an issue. Merging.