Hi π β first, thanks for @getgrit/cli; it's been useful for us.
We hit something we weren't sure was intentional and wanted to ask before assuming. When we install @getgrit/cli@0.1.0-alpha.1743007075 (the version we currently pin), the published tarball includes an npm-shrinkwrap.json, and npm copies its resolved URLs (~65 transitive deps) into our project's package-lock.json pointing at https://registry.npmjs.org/*.
That's fine for most setups, but in our environment all installs are required to flow through a private mirror (AWS CodeArtifact), and our supply-chain scanner flags those nested entries because their resolved hosts bypass the mirror.
Our current workaround: we download the published tarball, strip the npm-shrinkwrap.json, bump the version with a suffix, and re-publish into our CodeArtifact repo. That lets npm resolve the transitive deps through our mirror normally. It works, but it's something we'd need to repeat on every upgrade.
Would removing npm-shrinkwrap.json from the published tarball (e.g. via .npmignore or the files allowlist) be a feasible change on your end? If consumer-side shrinkwrap isn't required for the CLI to function correctly, that would let downstream projects on private registries install cleanly without the repack step.
If there's a reason it needs to ship β binary integrity, install reproducibility, etc. β totally understand, happy to keep our workaround. Just wanted to surface it in case it's an easy tweak.
Thanks!
Hi π β first, thanks for
@getgrit/cli; it's been useful for us.We hit something we weren't sure was intentional and wanted to ask before assuming. When we install
@getgrit/cli@0.1.0-alpha.1743007075(the version we currently pin), the published tarball includes annpm-shrinkwrap.json, and npm copies itsresolvedURLs (~65 transitive deps) into our project'spackage-lock.jsonpointing athttps://registry.npmjs.org/*.That's fine for most setups, but in our environment all installs are required to flow through a private mirror (AWS CodeArtifact), and our supply-chain scanner flags those nested entries because their resolved hosts bypass the mirror.
Our current workaround: we download the published tarball, strip the
npm-shrinkwrap.json, bump the version with a suffix, and re-publish into our CodeArtifact repo. That lets npm resolve the transitive deps through our mirror normally. It works, but it's something we'd need to repeat on every upgrade.Would removing
npm-shrinkwrap.jsonfrom the published tarball (e.g. via.npmignoreor thefilesallowlist) be a feasible change on your end? If consumer-side shrinkwrap isn't required for the CLI to function correctly, that would let downstream projects on private registries install cleanly without the repack step.If there's a reason it needs to ship β binary integrity, install reproducibility, etc. β totally understand, happy to keep our workaround. Just wanted to surface it in case it's an easy tweak.
Thanks!