I think we should keep these lockfiles (except maybe yarn)
I think consolidating around a package manager is a bit more complicated than deleting these lockfiles.
At minimum, I think we NEED to have lock files for NPM (to cover automation and our customers) and PNPM (to cover our automation).
Lockfiles are most useful as a mitigation against supply chain attacks (we are going to be adding them everywhere in the near future). Deleting them exposes us to more risk. Simply running npm install is a major security risk these days UNLESS our versions are strictly defined in a lockfile. For example:
Consolidation is mostly a CI/Automation problem
To consolidate around a single package manager, the key challenge is actually in our automation (GitHub Actions, GCB, Docker Containers, BazelBot, etc.). These automations use a mixture of PNPM and NPM. Note, that modern supply chain attacks are specifically designed to compromise CI (i.e. with Docker escape mechanisms). As a result, we probably need to keep a NPM and PNPM lock around.
Here are a few usage examples:
Originally posted by @pearigee in #8365 (comment)
I think we should keep these lockfiles (except maybe yarn)
I think consolidating around a package manager is a bit more complicated than deleting these lockfiles.
At minimum, I think we NEED to have lock files for NPM (to cover automation and our customers) and PNPM (to cover our automation).
Lockfiles are most useful as a mitigation against supply chain attacks (we are going to be adding them everywhere in the near future). Deleting them exposes us to more risk. Simply running
npm installis a major security risk these days UNLESS our versions are strictly defined in a lockfile. For example:Consolidation is mostly a CI/Automation problem
To consolidate around a single package manager, the key challenge is actually in our automation (GitHub Actions, GCB, Docker Containers, BazelBot, etc.). These automations use a mixture of PNPM and NPM. Note, that modern supply chain attacks are specifically designed to compromise CI (i.e. with Docker escape mechanisms). As a result, we probably need to keep a NPM and PNPM lock around.
Here are a few usage examples:
Originally posted by @pearigee in #8365 (comment)