Restore missing resolved and integrity of some dependencies and add check of lockfile integrity (#5336)

Co-authored-by: Tommaso Sciortino <sciortino@gmail.com>
2026-03-23 20:40:41 -07:00 · 2025-08-30 00:43:56 +08:00
parent 6868cbe7b7
commit f80f7b445c
4 changed files with 91 additions and 0 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -94,6 +94,10 @@ jobs:
          node-version-file: '.nvmrc'
          cache: 'npm'

+      - name: 'Run lockfile check'
+        run: |-
+          npm run check:lockfile
+
      - name: 'Install dependencies'
        run: |-
          npm ci
--- a/package-lock.json
+++ b/package-lock.json
@@ -14567,6 +14567,8 @@
    },
    "packages/cli/node_modules/@testing-library/dom": {
      "version": "10.4.0",
+      "resolved": "https://registry.npmjs.org/@testing-library/dom/-/dom-10.4.0.tgz",
+      "integrity": "sha512-pemlzrSESWbdAloYml3bAJMEfNh1Z7EduzqPKprCH5S341frlpYnUEW0H72dLxa6IsYr+mPno20GiSm+h9dEdQ==",
      "dev": true,
      "license": "MIT",
      "peer": true,
@@ -14602,6 +14604,8 @@
    },
    "packages/cli/node_modules/@testing-library/react": {
      "version": "16.3.0",
+      "resolved": "https://registry.npmjs.org/@testing-library/react/-/react-16.3.0.tgz",
+      "integrity": "sha512-kFSyxiEDwv1WLl2fgsq6pPBbw5aWKrsY2/noi1Id0TK0UParSF62oFQFGHXIyaG4pp2tEub/Zlel+fjjZILDsw==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -14653,6 +14657,8 @@
    },
    "packages/cli/node_modules/aria-query": {
      "version": "5.3.0",
+      "resolved": "https://registry.npmjs.org/aria-query/-/aria-query-5.3.0.tgz",
+      "integrity": "sha512-b0P0sZPKtyu8HkeRAfCq0IfURZK+SuwMjY1UXGBU27wpAiTwQAIlq56IbIO+ytk/JjS1fMR14ee5WBBfKi5J6A==",
      "dev": true,
      "license": "Apache-2.0",
      "peer": true,
@@ -14662,6 +14668,8 @@
    },
    "packages/cli/node_modules/emoji-regex": {
      "version": "10.4.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-10.4.0.tgz",
+      "integrity": "sha512-EC+0oUMY1Rqm4O6LLrgjtYDvcVYTy7chDnM4Q7030tP4Kwj3u/pR6gP9ygnp2CJMK5Gq+9Q2oqmrFJAz01DXjw==",
      "license": "MIT"
    },
    "packages/cli/node_modules/react-is": {
@@ -14674,6 +14682,8 @@
    },
    "packages/cli/node_modules/string-width": {
      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-7.2.0.tgz",
+      "integrity": "sha512-tsaTIkKW9b4N+AEj+SVA+WhJzV7/zMhcSu78mLKWSk7cXMOSHsBKFWUs0fWwq8QyK3MgJBQRX6Gbi4kYbdvGkQ==",
      "license": "MIT",
      "dependencies": {
        "emoji-regex": "^10.3.0",
@@ -14786,6 +14796,8 @@
    },
    "packages/core/node_modules/ignore": {
      "version": "7.0.5",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.5.tgz",
+      "integrity": "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==",
      "license": "MIT",
      "engines": {
        "node": ">= 4"
--- a/package.json
+++ b/package.json
@@ -49,6 +49,7 @@
    "prepare:package": "node scripts/prepare-package.js",
    "release:version": "node scripts/version.js",
    "telemetry": "node scripts/telemetry.js",
+    "check:lockfile": "node scripts/check-lockfile.js",
    "clean": "node scripts/clean.js"
  },
  "bin": {
--- a/scripts/check-lockfile.js
+++ b/scripts/check-lockfile.js
@@ -0,0 +1,74 @@
+/**
+ * @license
+ * Copyright 2025 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import fs from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const root = join(__dirname, '..');
+const lockfilePath = join(root, 'package-lock.json');
+
+function readJsonFile(filePath) {
+  try {
+    const fileContent = fs.readFileSync(filePath, 'utf-8');
+    return JSON.parse(fileContent);
+  } catch (error) {
+    console.error(`Error reading or parsing ${filePath}:`, error);
+    return null;
+  }
+}
+
+console.log('Checking lockfile...');
+
+const lockfile = readJsonFile(lockfilePath);
+if (lockfile === null) {
+  process.exit(1);
+}
+const packages = lockfile.packages || {};
+const invalidPackages = [];
+
+for (const [location, details] of Object.entries(packages)) {
+  // 1. Skip the root package itself.
+  if (location === '') {
+    continue;
+  }
+
+  // 2. Skip local workspace packages.
+  // They are identifiable in two ways:
+  // a) As a symlink within node_modules.
+  // b) As the source package definition, whose path is not in node_modules.
+  if (details.link === true || !location.includes('node_modules')) {
+    continue;
+  }
+
+  // 3. Any remaining package should be a third-party dependency.
+  // 1) Registry package with both "resolved" and "integrity" fields is valid.
+  if (details.resolved && details.integrity) {
+    continue;
+  }
+  // 2) Git and file dependencies only need a "resolved" field.
+  const isGitOrFileDep =
+    details.resolved?.startsWith('git') ||
+    details.resolved?.startsWith('file:');
+  if (isGitOrFileDep) {
+    continue;
+  }
+
+  // Mark the left dependency as invalid.
+  invalidPackages.push(location);
+}
+
+if (invalidPackages.length > 0) {
+  console.error(
+    '\nError: The following dependencies in package-lock.json are missing the "resolved" or "integrity" field:',
+  );
+  invalidPackages.forEach((pkg) => console.error(`- ${pkg}`));
+  process.exitCode = 1;
+} else {
+  console.log('Lockfile check passed.');
+  process.exitCode = 0;
+}