feat: ACNA-4061 - aio app pack should include a lockfile to ensure reproducibility and security

[shazron]

Description

• aio app pack will include package-lock.json now by default
• aio app pack has a new flag: --[no]-lock-file (default true, new)
• aio app install will install using npm ci if a lockfile is included, and npm install if a lockfile is missing
• aio app install has a new flag: --[no]-allow-scripts (default true, for legacy support - added here for future disabling of scripts as needed)

How Has This Been Tested?

• local link the app plugin, and pack and install an app (with and without the --no-lock-file flag)
• app is installed using npm ci if lockfile is included (with or without --no-allow-scripts)
• app is installed using npm install if lockfile is not included (with or without --no-allow-scripts)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have signed the Adobe Open Source CLA.
• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[moritzraho]

lgtm, just wondering why we need the extra allow script flag

[shazron]

lgtm, just wondering why we need the extra allow script flag

this was mentioned in the description

[moritzraho]

this was mentioned in the description

meant from a feature perspective, why introduce this flag and not other npm flags or no flags? how does it relate to the lock file?

[shazron]

meant from a feature perspective, why introduce this flag and not other npm flags or no flags? how does it relate to the lock file?

Replied privately.