Skip to content

fix: publish npm-shrinkwrap.json to pin transitive dependencies#88

Merged
pchuri merged 1 commit intomainfrom
fix/publish-shrinkwrap
Apr 1, 2026
Merged

fix: publish npm-shrinkwrap.json to pin transitive dependencies#88
pchuri merged 1 commit intomainfrom
fix/publish-shrinkwrap

Conversation

@pchuri
Copy link
Copy Markdown
Owner

@pchuri pchuri commented Apr 1, 2026

Description

Convert package-lock.json to npm-shrinkwrap.json so that published installs resolve the exact dependency versions tested in CI, preventing supply-chain drift.

package-lock.json is not included in npm publishes, so users installing via npm install -g confluence-cli resolve dependencies from package.json semver ranges. npm-shrinkwrap.json is the publishable lockfile and is recommended by npm for CLI tools.

Closes #86

Type of Change

  • Bug fix (non-breaking change which fixes an issue)

Testing

  • Tests pass locally with my changes
  • New and existing unit tests pass locally with my changes

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • My changes generate no new warnings

@pchuri
fix: publish npm-shrinkwrap.json to pin transitive dependencies
3a749a5 
Convert package-lock.json to npm-shrinkwrap.json so that published
installs resolve the exact dependency versions tested in CI, preventing
supply-chain drift such as the recent malicious axios incident.

Closes #86
@pchuri pchuri merged commit d0dffd2 into main Apr 1, 2026
6 checks passed
github-actions bot pushed a commit that referenced this pull request Apr 1, 2026
@semantic-release-bot
chore(release): 1.27.7 [skip ci]
3b8e4f7 
## [1.27.7](v1.27.6...v1.27.7) (2026-04-01)

### Bug Fixes

* publish npm-shrinkwrap.json to pin transitive dependencies ([#88](#88)) ([d0dffd2](d0dffd2)), closes [#86](#86)
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 1, 2026

🎉 This PR is included in version 1.27.7 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Harden npm installs by pinning axios and publishing shrinkwrap

1 participant

@pchuri