Use shrinkwrap for package locking (#8298)

.github/CODEOWNERS

@@ -4,7 +4,7 @@
 # Require reviews from the release approvers for critical files.
 # These patterns override the rule above.
 /package.json @google-gemini/gemini-cli-askmode-approvers
-/package-lock.json @google-gemini/gemini-cli-askmode-approvers
+/npm-shrinkwrap.json @google-gemini/gemini-cli-askmode-approvers
 /GEMINI.md @google-gemini/gemini-cli-askmode-approvers
 /SECURITY.md @google-gemini/gemini-cli-askmode-approvers
 /LICENSE @google-gemini/gemini-cli-askmode-approvers

.github/workflows/promote-release.yml

@@ -165,7 +165,7 @@ jobs:
           BRANCH_NAME: '${{ steps.release_branch.outputs.BRANCH_NAME }}'
           DRY_RUN: '${{ github.event.inputs.dry_run }}'
         run: |-
-          git add package.json package-lock.json packages/*/package.json
+          git add package.json npm-shrinkwrap.json packages/*/package.json
           git commit -m "chore(release): bump version to ${{ needs.calculate-versions.outputs.NEXT_NIGHTLY_VERSION }}"
           if [[ "${DRY_RUN}" == "false" ]]; then
             echo "Pushing release branch to remote..."

.prettierignore

@@ -17,4 +17,5 @@ eslint.config.js
 **/generated
 gha-creds-*.json
 junit.xml
+npm-shrinkwrap.json
 Thumbs.db

package.json

@@ -59,7 +59,8 @@
   "files": [
     "bundle/",
     "README.md",
-    "LICENSE"
+    "LICENSE",
+    "npm-shrinkwrap.json"
   ],
   "devDependencies": {
     "@types/marked": "^5.0.2",

packages/vscode-ide-companion/scripts/generate-notices.js

@@ -94,7 +94,7 @@ function collectDependencies(packageName, packageLock, dependenciesMap) {
   const packageInfo = packageLock.packages[`node_modules/${packageName}`];
   if (!packageInfo) {
     console.warn(
-      `Warning: Could not find package info for ${packageName} in package-lock.json.`,
+      `Warning: Could not find package info for ${packageName} in npm-shrinkwrap.json.`,
     );
     return;
   }
@@ -114,7 +114,7 @@ async function main() {
     const packageJsonContent = await fs.readFile(packageJsonPath, 'utf-8');
     const packageJson = JSON.parse(packageJsonContent);
 
-    const packageLockJsonPath = path.join(projectRoot, 'package-lock.json');
+    const packageLockJsonPath = path.join(projectRoot, 'npm-shrinkwrap.json');
     const packageLockJsonContent = await fs.readFile(
       packageLockJsonPath,
       'utf-8',

scripts/check-lockfile.js

@@ -10,7 +10,7 @@ import { fileURLToPath } from 'node:url';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const root = join(__dirname, '..');
-const lockfilePath = join(root, 'package-lock.json');
+const lockfilePath = join(root, 'npm-shrinkwrap.json');
 
 function readJsonFile(filePath) {
   try {
@@ -64,7 +64,7 @@ for (const [location, details] of Object.entries(packages)) {
 
 if (invalidPackages.length > 0) {
   console.error(
-    '\nError: The following dependencies in package-lock.json are missing the "resolved" or "integrity" field:',
+    '\nError: The following dependencies in npm-shrinkwrap.json are missing the "resolved" or "integrity" field:',
   );
   invalidPackages.forEach((pkg) => console.error(`- ${pkg}`));
   process.exitCode = 1;

scripts/version.js

@@ -75,7 +75,7 @@ if (cliPackageJson.config?.sandboxImageUri) {
   writeJson(cliPackageJsonPath, cliPackageJson);
 }
 
-// 6. Run `npm install` to update package-lock.json.
+// 6. Run `npm install` to update npm-shrinkwrap.json.
 run('npm install');
 
 console.log(`Successfully bumped versions to v${newVersion}.`);