Some way to manage package-lock.json

[seebees]

Humans are not going to look at this file.
Dependabot or similar can handle updating dependancies,
but adding dependancies is still a manual process.

Is there a way to ensure that a given package-lock.json is valid
within the context of a package.json file?

[mattsb42-aws]

Proposal: no human is ever allowed to edit the lock file. Instead, we have a GitHub Actions bot who updates that file. This could require adding dependencies as a separate pull request, but I'm not entirely convinced that is a terrible idea.

The benefit of this is that if only bots are ever editing this file, we can be much more confident that the file is generated the way that we think it is.

[seebees]

This could be accomplished by pushing a change to the package.json file
and then having the bot/action push the change to the package-lock.json file to the PR...

[mattsb42-aws]

I did consider that. My concern with that is that separating the commits in a PR that were made by a human from the commits that were made by a bot is tenuous at best, and impossible at worst (say, if someone rebases after the changes).

My root issue is that we have this very important file that defines exactly what dependencies are pulled in as well as the root of trust for validating those dependencies...but this file is simultaneously impossible for a human to validate or otherwise review.

This is not a problem that is unique to this project or to JS, though JS is one of the few ecosystems I have personally encountered where is is common practice to enshrine the dependency lock file in source code.