Build : Bundle package-lock.json in developper release (and commit to git tag)

[OlivierJaquemet]

Do you want to request a feature or report a bug?
Build feature

What is the current behavior?
When an official release is created, the developper zip archive contains the package.json used at the build time. However, there it does not provides indication of which "real" versions were used by npm when dependencies were resolved.

What is the expected behavior?
Adding the package-lock.json file to the developper zip archive, and to the git source tree for the corresponding tag, would add many advantages as described in the official NPM package-lock.json documentation.
Notably "time travel" related :

• easier way to re-build a consistent release for a specific version.
• track dependencies (and possibly vulnerable ones)
  ...

[spocke]

Will discuss this internally would be nice to be able to use npm or yarn lock files to install the dependencies needed for a particular release. We have avoided committing these since we do rapid development of all dependencies we use @latest on everything internal but it would be nice to be able to get the state back to a particular release.

[OlivierJaquemet]

Thanks for the feedback @spocke

[lnewson]

Just wanted to let you know, that as of 5.0.2 we'll now be bundling both package-lock.json and yarn.lock files in the developer distribution downloads. You should be able to see that the nightly builds already include the lock files: http://download.tiny.cloud/tinymce/community/tinymce_nightly_dev.zip

[OlivierJaquemet]

Thanks. I guess I could close this issue, however it would not have the propre labels (5.x)... whatever