As a security engineer, so that Node dependencies can be managed by automated tooling (e.g., Depenabot, Renovate, npm audit, etc.), I would like Node dependencies specifications to be removed from source files (e.g., the Dockerfile) and placed, instead, in a file intended for dependency tracking (e.g., package.json).
Acceptance Criteria
[ ] dependency specification removed from Dockerfile, GitHub Action workflow files, etc.
[ ] dependency specification added to a separate mechanism designed for specifying dependencies (e.g., package.json) #324
[ ] dependency management tooling updated to scan the dependency specification
[ ] workflow continues to function as it did previously (i.e., don't break anything)
[ ] support the composite action mechanism from #257
Definition of Done
[ ] Acceptance criteria met
[ ] Usability tests passed - this user story should be easy to use by real users
[ ] Code refactored for clarity - code must be clean, self-documenting code
[ ] Dependency Rule followed - higher-level code should not depend directly on lower-level code
[ ] Source code merged
[ ] Unit test coverage of our code > 90%
[ ] Security reviewed and reported - includes vulnerability and compliance scanning
[ ] Code quality checks passed
[ ] Build process updated if needed
[ ] API documentation updated if needed
Additional Information
If a package.json (or similar.. whatever) approach is used, the setup action becomes more generalized from "install this version of this package" to "install the required dependencies"
steps:
- uses: actions/setup-node@v4
- run: npm ci
This applies not only to GitHub Actions at runtime, but also Docker image builds. So, it would go from
RUN npm install ...
to
WORKDIR /destination/
COPY file /destination/
RUN npm ci
Describe the User Story
As a security engineer, so that Node dependencies can be managed by automated tooling (e.g., Depenabot, Renovate,
npm audit
, etc.), I would like Node dependencies specifications to be removed from source files (e.g., the Dockerfile) and placed, instead, in a file intended for dependency tracking (e.g., package.json).Acceptance Criteria
Definition of Done
Additional Information
If a package.json (or similar.. whatever) approach is used, the setup action becomes more generalized from "install this version of this package" to "install the required dependencies"
This applies not only to GitHub Actions at runtime, but also Docker image builds. So, it would go from
to
Related Feature Request
257