[Snyk] Fix for 14 vulnerabilities #233
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Package lock lint | |
# **What it does**: Makes sure package.json and package-lock.json is in sync | |
# **Why we have it**: Accidental manual edits of the dependencies directly in package.json | |
# **Who does it impact**: Docs engineering/writers/contributors. | |
on: | |
pull_request: | |
paths: | |
- package.json | |
- package-lock.json | |
- .github/workflows/package-lock-lint.yml | |
permissions: | |
contents: read | |
# This allows a subsequently queued workflow run to interrupt previous runs | |
concurrency: | |
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' | |
cancel-in-progress: true | |
jobs: | |
lint: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out repo | |
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 | |
- name: Setup Node | |
uses: actions/setup-node@1f8c6b94b26d0feae1e387ca63ccbdc44d27b561 | |
with: | |
node-version: 16.14.x | |
- name: Run check | |
run: | | |
npm --version | |
# From https://docs.npmjs.com/cli/v7/commands/npm-install | |
# | |
# The --package-lock-only argument will only update the | |
# package-lock.json, instead of checking node_modules and | |
# downloading dependencies. | |
# | |
npm install --package-lock-only --ignore-scripts --include=optional | |
# If the package.json (dependencies and devDependencies) is | |
# in correct sync with package-lock.json running the above command | |
# should *not* make an edit to the package-lock.json. I.e. | |
# running `git status` should | |
# say "nothing to commit, working tree clean". | |
git diff --exit-code |