Ensure fully reproducible dependency chains for the development of Node-RED

[dimitrieh]

Problem

In light of recent npm supply chain attacks we should make sure our defaults results fully reproducible dependency chains. Currently, we recommend npm install and have no package-lock.json.

Proposed solution

Update where we run npm install to make use of npm ci and ensure a package-lock.json that has been pre-validated and is included in the commit history.

Context

Coming from #5423 (comment)

[dimitrieh]

cc: @dceejay

[dceejay]

so....
a) how does this work for global packages ? (npm ci doesn't work for global packages)
b) does it automatically create the node-red bin command ? for users to run

If we do want to move to this - and install locally - a) how would we migrate existing users seamlessly (IE tidy up global install) b) recreate correct command to run as a service etc

The reasons we install globally were a) as we were part of the Pi ecosystem, we were actually installed as an deb/apt package and they have to be installed globally - and we didn't want our instructions to clash with that and create mayhem with overlapping installs - b) when installing globally npm auto creates the node-red bin command in the path so that users can just type node-red and it runs...

[dimitrieh]

@dceejay for sudo npm install -g --unsafe-perm node-red I was confused and interpreted it wrong. It installs Node-RED itself rather than the development env. I think considering if --unsafe-perm is still needed there can be considered separately there. Also, I was not worried about installing globally or not. Sorry for the confusion on my part there. I'll edit this issue and my comments.

Additionally, making installing custom nodes safer due to dependency on NPM in general is also a separate scope we can look into.

For a fully reproducible dependency chain for the development of Node-RED itself I created this issue -> and PRs: #5426 and node-red/node-red.github.io#402

[dimitrieh]

This will be okay for the dev environment, but the way release builds are generated (as this is a mono-repo with multiple npm packages in) will need overhauling so they each get a valid package-lock.json generated. Happy to merge this as a step one, but it won't be Job Done

@knolleary opening a follow up issue with this in mind: #5429