A description of the problem you're trying to solve, including why you think this is a problem
The GitHub security alert graph picks up security related issues, based on the dependency graph which itself targets package-lock.json.
Unfortunately, when installing NPM dependencies to a Meteor package, this will only create a .npm folder including a npm-shrinkwrap.jsonwhich is similar but is not catched up by the dependency graph.
Creating an additional package-lock.json could add automated package security scans for packages that depend on vulnerable NPM packages.
An overview of the suggested solution
The package build should create a package-lock.json (but not a package.json) in the top-level of a package folder when publishing. It may or may not also add this package-lock.json as entry to an existing or creating a new .meteorignore
If the feature changes current behavior, reasons why your solution is better
This remains a question, whether it changes current behavior.
Creating the package-lock.json by itself should be possible, but since GitHub offers automatic fixes in the file it should probably also be effective in some way so that the applied security patches have effect.
A description of the problem you're trying to solve, including why you think this is a problem
The GitHub security alert graph picks up security related issues, based on the dependency graph which itself targets
package-lock.json
.Unfortunately, when installing NPM dependencies to a Meteor package, this will only create a
.npm
folder including anpm-shrinkwrap.json
which is similar but is not catched up by the dependency graph.Creating an additional
package-lock.json
could add automated package security scans for packages that depend on vulnerable NPM packages.An overview of the suggested solution
The package build should create a
package-lock.json
(but not apackage.json
) in the top-level of a package folder when publishing. It may or may not also add thispackage-lock.json
as entry to an existing or creating a new.meteorignore
If the feature changes current behavior, reasons why your solution is better
This remains a question, whether it changes current behavior.