Skip to content

Commit 34bbd0f

Browse files
UzlopakUzlopak
committed
remove package-lock.json and set .npmrc to not create package-lock.json files, ignore package-lock.json in .npmignore to avoid publishing a package with package-lock.json, gitignore package-lock.json
We could be prone to a supply-chain-attack when we not carefully review changes in the package-lock.json. urls to packages could be changed to malicious variants. To avoid this, we disable the generation package-lock.json. We should not accept any PRs with package-lock.json.
1 parent ac68291 commit 34bbd0f

File tree

4 files changed

+4
-2535
lines changed

4 files changed

+4
-2535
lines changed

.gitignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,3 +39,5 @@ tramp
3939
# coverage
4040
coverage
4141
.nyc_output
42+
43+
package-lock.json

.npmignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1 +1,2 @@
11
test/
2+
package-lock.json

.npmrc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
package-lock=false

0 commit comments

Comments
 (0)