Description
Today the packagelockjson extractor identifies package-lock.json files, as expected:
But there is another file that could (should?) also be identified and parsed the same way:
npm-shrinkwrap.json
Both of these files have the same format, and perform similar functions in the root of a project.
The difference is that
package-lock.jsoncannot be published, and it will be ignored if found in any place other than the root project.In contrast,
npm-shrinkwrap.jsonallows publication, and defines 510A the dependency tree from the point encountered. This is not recommended unless deploying a CLI tool or otherwise using the publication process for producing production packages.If both
package-lock.jsonandnpm-shrinkwrap.jsonare present in the root of a project,npm-shrinkwrap.jsonwill take precedence andpackage-lock.jsonwill be ignored.
Tangentially, should it be its own extractor (e.g. packageshrinkwrapjson), or would it make sense to include it as an additional case to the existing packagelockjson extractor's FileRequired method?