Request to remove "package-lock.json" to allow consumers to install the latest security fixes for all transitive dependencies based on semvers defined in "package.json"

[mpawlow]

Is your feature request related to a problem? Please describe.

• Yes
• A security vulnerability / CVE was discovered in the expect transitive dependency
• See: https://github.com/IBM/node-sdk-core/issues/266#issuecomment-2115334749

Describe the solution you'd like

• Solution: The request is to simply remove and do not generate the package-lock.json file
• The package-lock.json is locking down library versions for all transitive (child) dependencies in the hierarchy
• Problem: This prevents the consuming service that is installing this library to automatically pick-up the latest security fixes based on the semvers defined in package.json and all child dependencies
  • e.g. We typically run npm update to pull in the latest library versions
  • Also, it defeats the npm tree-shaking mechanism to consolidate duplicate library versions into single version based on semver restrictions
• Note: Including package-lock.json at the library level doesn't seem to be an industry standard or best practice based on the most popular Node libraries in the ecosystem
• From a DevOps perspective, only top level services that include these libraries should define a package-lock.json when deploying the app to different environments (DEV, QA, PROD)

Describe alternatives you've considered

• The alternative is to wait for the CVE to be addressed directly at the @ibm-cloud/cloudant and ibm-cloud-sdk-core library level rather than automatically picking up the latest security fixes for all transitive dependencies via npm update

Additional context

• Opened a similar feature request against ibm-cloud-sdk-core here --> https://github.com/IBM/node-sdk-core/issues/273

[ricellis]

We already do not include the package-lock.json in our published module so there is nothing to remove. The source package-lock.json should have no impact on downstream consumers.

We do pin dependency versions in our package.json to the versions that we have tested and can support. We resolve CVEs and publish new versons as soon as possible.

It is also possible to override dependencies in your own project's manifests if you like. Although at this point in time for this particular case there are no new versions available to use. If ibm-cloud-sdk-core releases a new version without the expect dependency then rest asssured we will update and test soon after.

[mpawlow]

Confirmed.

• The library is indeed published without the package-lock.json file

Thanks for the quick response.

[ricellis]

Now the micromatch and braces modules have had updates released running npm update should resolve this problem. New releases of node-sdk-core and cloudant-node-sdk are not required because the fixed transitive packages are within the existing acceptable dependency version ranges.