Build: re-introduce a package-lock.json file

They were used a long time ago, then I scrapped them for simplicity to
new contributors. I'm re-considering this and re-introducing one, for
two (maybe three) reasons:

1. Reading on supply chain attacks
2. Build broken because of a dep change (see previous commit broken
   because of a change in yargs @ 17.1.0)
(3.) Performance

.github/CONTRIBUTING.md

@@ -20,9 +20,6 @@ We follow the [Airbnb Style Guide](https://github.com/airbnb/javascript), please
 The following commands might be helpful:
 
 ```bash
-# Run specs and lint
-npm run ci
-
 # Run specs only
 npm run test
 

.github/workflows/ci.yml

@@ -33,7 +33,7 @@ jobs:
       with:
         node-version: ${{ matrix.node-version }}
     # Will also (through `prepare` hook): 1. install ./app, and 2. build
-    - run: npm install --no-fund
+    - run: npm ci --no-fund
     # Only run linter once, for faster CI. Align the versions of Node here with above and publish.yml.
     - if: matrix.platform == 'ubuntu-latest' && matrix.node-version == '16.x'
       run: npm run lint

.github/workflows/publish.yml

@@ -15,7 +15,7 @@ jobs:
         node-version: '16.x'
         registry-url: 'https://registry.npmjs.org'
     # Will also (through `prepare` hook): 1. install ./app, and 2. build
-    - run: npm install --no-fund
+    - run: npm ci --no-fund
     - run: npm test
     - run: npm run lint
     - run: npm publish

.gitignore

@@ -1,9 +1,6 @@
 # OSX
 .DS_Store
 
-# Node.js
-package-lock.json
-
 # ignore compiled lib files
 lib*
 app/lib/*

.npmignore

@@ -6,7 +6,6 @@ src/
 *eslintrc.js
 *eslintrc.yml
 *tsconfig.tsbuildinfo
-*package-lock.json
 *tsconfig.json
 *jestSetupFiles*
 *-test.js

.npmrc

@@ -1 +0,0 @@
-package-lock=false

HACKING.md

@@ -57,10 +57,10 @@ cd nativefier
 Install dependencies (for both the CLI and the Electron app):
 
 ```bash
-npm install
+npm ci
 ```
 
-The above `npm install` will build automatically (through the `prepare` hook).
+The above `npm ci` will build automatically (through the `prepare` hook).
 When you need to re-build Nativefier,
 
 ```bash
@@ -153,26 +153,14 @@ So: do upgrade CLI & App deps regularly! Our release script will remind you abou
 
 ### Deps lockfile
 
-Although there are benefits to a package lock (reproducible builds, install speed),
+We do use lockfiles (`package-lock.json` & `app/package-lock.json`), for:
-as of writing, Nativefier doesn't use one. We tried it, and removed it after seeing
-it confused novice devs sending PRs. They don't know how to manage it, they update
-the package.json but not the lock, it's a hassle, they get discouraged.
 
-At time of writing, maximizing simplicity and ease of contribution
+1. Security (avoiding supply chain attacks)
-seems preferable over reproducible builds and install speed.
+2. Reproducibility
+3. Performance
 
-Also, practically, the npm ecosystem today is stable enough that non-reproducible
+It means you might have to update these lockfiles when adding a dependency.
-builds never caused any trouble in years (zero issues/complaints related to it).
+`npm run relock` will help you with that.
-Semantic versioning is well respected, our users get patch/minor upgrades,
-a build at time T1 works, and a different build at time T2 > T1 works too 🙂.
-
-Finally, it's not a problem for distributions / user repositories wishing to
-provide reproducible builds, because if a repo (say, AUR) wants to make *their*
-build reproducible, they can: the packager can add a lockfile to their PKGBUILD
-associated files, and it will be reproducible for them.
-
-This is of course debatable and may change in the future based on bugs,
-user feedback, or future maintainers preference.
 
 ### Release
 

app/.npmrc

@@ -1 +0,0 @@
-package-lock=false

package.json

@@ -36,14 +36,14 @@
     "build": "npm run clean && tsc --build shared src app && npm run build-app && npm run build-app-static",
     "build:watch": "npm run clean && tsc --build shared src app --watch",
     "changelog": "./.github/generate-changelog",
-    "ci": "npm run lint && npm test",
     "clean": "rimraf coverage/ lib/ app/lib/ app/dist/ shared/lib",
     "clean:full": "npm run clean && rimraf app/node_modules/ node_modules/",
     "lint:fix": "cd src && eslint . --ext .ts --fix && cd ../shared && eslint src --ext .ts --fix && cd ../app && eslint src --ext .ts --fix",
     "lint:format": "prettier --write 'src/**/*.ts' 'app/src/**/*.ts' 'shared/src/**/*.ts'",
     "lint": "eslint shared app src --ext .ts",
     "list-outdated-deps": "npm out; cd app && npm out; true",
-    "prepare": "cd app && npm install && cd .. && npm run build",
+    "prepare": "cd app && npm ci && cd .. && npm run build",
+    "relock": "rm -rf ./node_modules/ ./app/node_modules/ ./package-lock.json ./app/package-lock.json; npm install --package-lock --ignore-scripts && npm out; cd app && npm install --package-lock --ignore-scripts && npm out; cd .. && true",
     "test:integration": "jest --testRegex '.*integration-test.js'",
     "test:manual": "npm run build && ./.github/manual-test",
     "test:unit": "jest",
@@ -63,7 +63,7 @@
     "sanitize-filename": "^1.6.3",
     "source-map-support": "^0.5.19",
     "tmp": "^0.2.1",
-    "yargs": "^17.0.1"
+    "yargs": "17.0.1"
   },
   "devDependencies": {
     "@types/debug": "^4.1.6",