installDeps.sh: create a package-lock.json on startup. Track it in the repo.

This change reverts c4918efc1b, and basically negates what was done for #3396, but aligns better with current practices in the nodejs ecosystem. Pragmatically speaking, this will allow users, if they want, to use npm-force-resolutions (https://github.com/rogeriochaves/npm-force-resolutions) to manually fix security vulnerabilities. We had a problem for that (see #3598), and - given the fragmented nature of the nodejs ecosystem - it is reasonable to expect more issues like that one, so it's better to be prepared. Closes #3659.
2019-10-31 19:20:28 +01:00 · 2019-10-31 19:20:28 +01:00 · 9ee131ca1f
parent 84479851fe
commit 9ee131ca1f
2 changed files with 7240 additions and 1 deletions
--- a/bin/installDeps.sh
+++ b/bin/installDeps.sh
@ -100,7 +100,7 @@ echo "Ensure that all dependencies are up to date...  If this is the first time
  cd node_modules
  [ -e ep_etherpad-lite ] || ln -s ../src ep_etherpad-lite
  cd ep_etherpad-lite
-  npm install --no-save --loglevel warn
+  npm install --save --loglevel warn
 ) || {
  rm -rf src/node_modules
  exit 1
--- a/src/package-lock.json
+++ b/src/package-lock.json