I have a monorepo project, with one of the packages being a cli. And to prevent npm supply chain attack I am thinking of using npm-shrinkwrap.
The documentation here says:
The recommended use-case for npm-shrinkwrap.json is applications deployed through the publishing process on the registry: for example, daemons and command-line tools intended as global installs or devDependencies
This is exactly what i want as I am deploying a command-line tools. The only problem is, it seems npm-shrinkwrap does not support workspaces.
Let's say the cli part of my monorepo can be found in the path: /code/packages/cli, when I switch to it and run npm shrinkwrap I get the error:
npm ERR! code ENOWORKSPACES
npm ERR! This command does not support workspaces.
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/me/.npm/_logs/2022-05-16T20_53_41_147Z-debug-0.log
If I switch to the root of the project, that is /code/ and I run npm shrinkwrap, it does generates a npm-shrinkwrap.json with the following structure:
{
"name": "root",
"version": "1.0.0",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"name": "root",
"version": "1.0.0",
"license": "ISC",
"workspaces": [
"packages/*"
],
"devDependencies": {
"lerna": "^4.0.0"
}
},
"packages/cli": {
"name": "@proj/cli",
"version": "1.0.0",
"extraneous": true,
"license": "ISC"
}
}
}
But the only problem is, this is not the exact structure that should be created for the cli. Also when I publish the package (using lerna), the npm-shrinkwrap.json is never included in the cli package.
Any tips on how to make npm-shrinkwrap work with workspaces?
Basically how to have the npm-shrinkwrap.json generated for a package in a monorepo and have that inlcuded when that package is released?
The tool
npm-lockfileuses npm's internals and works inside of monorepos.Unfortunately, they're using an old version of
@npm/arborist, so it doesn't quite work properly, and you can use my patch for now