Page MenuHomePhabricator

Use NPM "overrides" feature instead of shrinkwrap to lock transitive dependencies
Open, Needs TriagePublic


Recently, we replaced Codex's package-lock.json file with an npm-shrinkwrap.json file. You can read about the difference between these two files here.

We made this change because we did not want to expose downstream users of Codex to changes in any of our project's transitive dependencies (i.e. dependencies of our dependencies).

We depend on the Floating UI library (specifically, the @floating-ui/vue package). The package we use in Codex has transitive dependencies which are other internal Floating UI packages. Without shrink-wrapping, it was possible for changes to the Floating UI code which we ship as part of codex to sneak into our releases even without any explicit updates on our part. Pinning a dependency package at an exact version is not enough to prevent this behavior, but shrink-wrapping locks things down.

The DST engineering team wishes to ensure that no un-vetted code from 3rd parties (even minor version updates to projects we have previously reviewed) gets included in Codex releases.

Unfortunately, using npm shrinkwrap to do this also breaks the ability of Library Upgrader to automatically update Codex versions that are used in various MW projects. This is a useful tool and we don't want to lose this ability.

Acceptance criteria
  • Remove npm-shrinkwrap.json and restore package-lock.json so that LibraryUpgrader works with Codex again
  • Use the "overrides" feature in package.json to lock down all transitive dependencies which show up in Codex output (only FloatingUI packages at this time). We should lock these packages to their current versions and then review future changes manually during a periodic dep update chore task.