Skip to content

chore(deps): pin npm dependencies to exact lockfile versions#583

Merged
tolzhabayev merged 2 commits into
mainfrom
chore/pin-npm-deps
May 20, 2026
Merged

chore(deps): pin npm dependencies to exact lockfile versions#583
tolzhabayev merged 2 commits into
mainfrom
chore/pin-npm-deps

Conversation

@tolzhabayev
Copy link
Copy Markdown
Contributor

@tolzhabayev tolzhabayev commented May 19, 2026

Summary

  • Replace semver ranges in dependencies and devDependencies with the exact versions already resolved in package-lock.json. Direct deps will no longer drift across reinstalls.
  • Harden .npmrc with supply-chain settings:
    • allow-git=none (block git dependencies)
    • ignore-scripts=true (idempotent if already present)
    • min-release-age=3 (only install packages at least 3 days old)
  • peerDependencies and optionalDependencies are intentionally left as ranges. Specifiers using file:, link:, workspace:, git+, npm: (alias), http(s):, or * / latest are also untouched.

Generated by a script that reads package-lock.json and rewrites the direct dep ranges in every package.json to the resolved version. npm install after the change is a no-op (no resolved versions changed).

Test plan

  • CI green
  • npm install produces no further changes

@tolzhabayev
chore(deps): pin npm dependencies and harden .npmrc
38ff34b 
Replace semver ranges in dependencies and devDependencies with the exact
versions already resolved by package-lock.json. Direct deps no longer
drift across reinstalls.

Also harden .npmrc with supply-chain settings:
- allow-git=none (block git dependencies)
- ignore-scripts=true (idempotent if already present)
- min-release-age=3 (only install packages at least 3 days old)
@tolzhabayev tolzhabayev requested a review from a team as a code owner May 19, 2026 13:11
andresmgot
andresmgot previously approved these changes May 19, 2026
View reviewed changes
@github-project-automation github-project-automation Bot moved this from 📬 Triage to 🔬 In review in Grafana Catalog Team May 19, 2026
@tolzhabayev
chore(deps): add missing .npmrc/lockfile updates
30b34d5 
Follow-up to previous commit: include .npmrc supply-chain settings and
lockfile sync that were dropped by a driver bug (git add aborted when
yarn.lock was absent in an npm repo). No spec changes.
@tolzhabayev tolzhabayev merged commit cce23b6 into main May 20, 2026
9 checks passed
@tolzhabayev tolzhabayev deleted the chore/pin-npm-deps branch May 20, 2026 09:10
@github-project-automation github-project-automation Bot moved this from 🔬 In review to 🚀 Shipped in Grafana Catalog Team May 20, 2026
@grafana-plugins-platform-bot grafana-plugins-platform-bot Bot mentioned this pull request May 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@academo academo academo approved these changes

@andresmgot andresmgot andresmgot approved these changes

@oshirohugo oshirohugo Awaiting requested review from oshirohugo oshirohugo is a code owner automatically assigned from grafana/grafana-catalog

Assignees

No one assigned

Labels

None yet

Projects

Grafana Catalog Team
Status: 🚀 Shipped

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tolzhabayev @academo @andresmgot