feat: Respect the package-lock.json for a NodeJS Lambda function

[az-wegift]

Description

Respect the package-lock.json so NodeJS Lambda for reproducible builds, which are critical in production environments. Similarly, like for the Poetry, copy a lock file, if such is present, to a temporary build directory. npm will use a package-lock.json file when available in a working directory.

In the example package.json, require a lower requests version to demonstrate package-lock.json usage. package.json specifies ~0.2.0 and the latest available matching version is 0.2.2, but package-lock.json freezes version 0.2.1 and that version gets installed with this change, while previously the 0.2.2 would be installed.

Motivation and Context

• Reproducible builds are critical in production environments. This property is missing when installing dependencies with npm because the package-lock.json is not copied to a temporary build directory.
• https://github.com/terraform-aws-modules/terraform-aws-lambda/issues/423

Breaking Changes

• Nothing changes when package-lock.json is not present in the source directory.
• When package-lock.json is present, it will be honoured going forward, by default, which would be an expected behaviour. This should be desired because a new version of a dependency might unexpectedly break a deployment, as mentioned in the https://github.com/terraform-aws-modules/terraform-aws-lambda/issues/423, while locked dependencies would have been tested in unit tests. If someone doesn't want to lock their dependencies, they shouldn't have a lock file.

How Has This Been Tested?

• [x] I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have added new examples to demonstrate my change and preserved old ones to demonstrate it did not break them.
• [x] I have tested and validated these changes using one or more of the provided examples/* projects
  • I ran terraform apply in examples/build-package/ (with commented out irrelevant Python examples for clarity).
    • terraform.txt
  • In the builds directory, I checked whether the zip file's content appeared as expected.
    • Old examples install requests-0.3.0 dependency.
    • New examples install reqests-0.2.1 dependency, as expected.
• [x] I have executed pre-commit run -a on my pull request
  • It automatically added new examples to the list.

[github-actions[bot]]

This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days

[az-wegift]

I have forked the repository, and we have been using the patched module in production at my company for almost a month now with no issues. Could it be included in the next release so that we can switch back to the original module, please?

[github-actions[bot]]

This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days

[az-wegift]

@antonbabenko, could you please consider this PR? We have used the fix in production for almost two months without any issues. It would be nice if we could switch back to the official repo.

[github-actions[bot]]

This PR has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this PR will be closed in 10 days

[az-wegift]

@antonbabenko, could you please consider this PR? We have used the fix in production for almost three months without any issues. It would be nice if we could switch back to the official repo.

[antonbabenko]

This PR is included in version 8.1.0 :tada:

[github-actions[bot]]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.