Add package-lock.json for reproducible dependency chains

- Remove package-lock.json from .gitignore - Add validated package-lock.json (Node 20, 1003 packages) - Update CI workflow to use npm ci instead of npm install - Update README development instructions to use npm ci This ensures all developers and CI get identical dependency trees, protecting against npm supply chain attacks where compromised patch versions could automatically propagate through semver ranges. Closes #5424
2026-01-07 16:15:12 +01:00 · 2026-01-07 16:15:12 +01:00 · 3df161c3bc
parent 92ca0eea83
commit 3df161c3bc
4 changed files with 11987 additions and 3 deletions
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -24,7 +24,7 @@ jobs:
      with:
        node-version: ${{ matrix.node-version }}
    - name: Install Dependencies
-      run: npm install
+      run: npm ci
    - name: Run tests
      run: |
        npm run test
--- a/.gitignore
+++ b/.gitignore
@ -27,7 +27,6 @@ docs
 .vscode
 .nyc_output
 sync.ffs_db
-package-lock.json
 .editorconfig
 test/resources/50-file-test-file.txt
 test/unit/@node-red/runtime/lib/nodes/.testUserHome
--- a/README.md
+++ b/README.md
@ -78,7 +78,7 @@ If you want to run the latest code from git, here's how to get started:

 2. Install the node-red dependencies

-        npm install
+        npm ci

 3. Build the code

--- a/package-lock.json
+++ b/package-lock.json