fix: add npm-shrinkwrap.json to lock transitive dependencies in distributed packages

[czubocha]

Summary

• Add npm-shrinkwrap.json to packages/framework-dist and packages/sf-core-installer to pin all transitive dependencies, further hardening against supply chain attacks
• Exclude both packages from the npm workspace to enable shrinkwrap generation — neither needs to be a workspace member (nothing imports them, no lifecycle scripts needed at build time)
• Add separate Dependabot entries for both packages with the same cooldown policy to keep shrinkwraps updated

Root cause

Both distributed packages (framework-dist tarball and sf-core-installer npm package) ship without a lockfile. When dependencies are installed on user machines, transitive deps resolve fresh from the registry — allowing a compromised transitive package to be pulled in.

Related

• Tarball'd project @serverlessinc/framework-alpha continues to install unpinned transitive dependencies #13453

Test plan

• npm pack --dry-run confirms npm-shrinkwrap.json is included in both tarballs
• Verified npm install respects shrinkwrap by pinning a transitive dep to an older version and confirming it installs that version instead of latest
• Confirmed npm publish works correctly for sf-core-installer when excluded from workspace
• Root npm install and npm ci succeed after workspace exclusions

---

Note

Medium Risk
Medium risk because it changes workspace membership and introduces per-package npm-shrinkwrap.json files, which can affect install/publish behavior and dependency resolution for the distributed artifacts.

Overview
Pins transitive dependencies for shipped npm artifacts. Adds npm-shrinkwrap.json to packages/framework-dist and packages/sf-core-installer so installs of those published packages resolve exact dependency trees.

Updates the root package.json/package-lock.json workspace config to exclude those two directories (marking them as extraneous in the lockfile) to enable shrinkwrap generation, and extends .github/dependabot.yml with separate weekly update entries (including Node 18-related ignores for sf-core-installer).

^{Written by Cursor Bugbot for commit f5bf19c. This will update automatically on new commits. Configure here.}

Summary by CodeRabbit

• Chores
  • Added Dependabot entries to manage updates for two additional npm package paths on a weekly schedule.
  • Adjusted workspace configuration to exclude two package directories from workspace resolution.
  • Added an npm shrinkwrap (lockfile) to pin exact dependency versions for a packaged component.
  • Removed a forced axios version override from a distributed package to allow normal resolution.

[Mmarzex]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Added Dependabot npm update jobs for two packages, excluded those packages from the root npm workspace, removed an axios override in framework-dist, and added an npm shrinkwrap lockfile for packages/sf-core-installer pinning serverless and transitive deps.

Changes

Cohort / File(s)	Summary
Dependabot & Workspaces /.github/dependabot.yml, package.json	Removed rimraf from root ignore list; added weekly npm update jobs for /packages/framework-dist and /packages/sf-core-installer; updated workspaces to exclude those two directories (!packages/framework-dist, !packages/sf-core-installer).
Framework package.json tweak packages/framework-dist/package.json	Removed the overrides entry that pinned axios to 1.13.6.
Shrinkwrap lockfile packages/sf-core-installer/npm-shrinkwrap.json	Added npm shrinkwrap (lockfileVersion 3) for serverless@4.33.2, pinning direct and transitive dependency versions (includes rimraf@5.0.10, undici@6.24.1) and resolved metadata.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore: remove redundant license fields from package.json files #13285: Overlaps edits to package files in packages/framework-dist and packages/sf-core-installer.
• Pin axios in framework-dist runtime package #13454: Directly touches the same overrides.axios field in packages/framework-dist/package.json.
• fix(sf-core-installer): remove axios and harden dependencies against supply chain attacks #13450: Related to sf-core-installer dependency pins and installer/shrinkwrap changes.

Suggested reviewers

• eahefnawy

Poem

🐰 I hopped through lockfiles late at night,
I nudged workspaces, set Dependabot to sight,
Removed an override, pinned versions tight,
Shrinkwraps snug, installs tidy and bright.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding npm-shrinkwrap.json files to lock transitive dependencies in distributed packages, which is the core objective of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch lock-transitive-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[czubocha]

@cursor review

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/dependabot.yml:
- Around line 96-105: The Dependabot block for package-ecosystem: 'npm' and
directory: '/packages/sf-core-installer' is missing ignore entries for undici
and rimraf; add ignore constraints that pin undici to <7.0.0 and rimraf to
<6.0.0 (or explicitly ignore versions >=7.0.0 and >=6.0.0) within that
per-directory block so Dependabot won't open major-version PRs that drop Node 18
support for the sf-core-installer package.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a8613941-9764-4b07-9ee8-455a4f01a506

📥 Commits

Reviewing files that changed from the base of the PR and between 1927474 and 6b906eb.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (4)

• .github/dependabot.yml
• package.json
• packages/framework-dist/npm-shrinkwrap.json
• packages/sf-core-installer/npm-shrinkwrap.json

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6b906eb0aa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[czubocha]

@cursor review

[czubocha]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR