Remove package-lock.json files when building artefacts

[siliconmeadow]

Is your feature request related to a problem? Please describe.
A client has recently used Detectify to scan for vulnerabilities on their site and asked us to address the package-lock.json file present at https://client-site.dom/themes/custom/client-theme/package-lock.json.

Describe the solution you'd like
Since blt deploy does such a good job clearing out the node_modules directory when creating the build artefact, it would seems like it would be also handy to ensure any package-lock.json files were not present in the build artefact too. No?

Describe alternatives you've considered
We could address that by adding a .htaccess file to the theme directory to hide the file.

Additional context
Perhaps it is something which has been addressed in blt/blt.yml already and I just don't see it. If it's there, please put me out of my misery and I'm sorry for creating this ticket.

[danepowell]

Since blt deploy does such a good job clearing out the node_modules directory when creating the build artefact

This statement could be interpreted incorrectly, so just to clarify: BLT does clear out node_modules when initializing the artifact, but it then runs the frontend install hooks that are expected to repopulate the node_modules directory with any production dependencies (i.e. frontend libraries).

If it excluded package-lock.json as part of the same rsync step, then the frontend install hooks would fail.

The proper way to fix this is by adding package-lock.json to your deploy .gitignore. I'd accept a PR for this as well.

More details on how to customize the build process, including the deploy .gitignore: https://docs.acquia.com/blt/extending-blt/#modifying-the-build-artifact

[siliconmeadow]

[siliconmeadow]

I closed this and then re-opened only minutes later after reading this:

https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/