Rename npm-shrinkwrap.json to package-lock.json (#37493)

* Rename npm-shrinkwrap.json to package-lock.json

* Update node_modules modification time after update-deps

* Update npm-shrinkwrap in Dockerfile

.circleci/config.yml

@@ -115,7 +115,7 @@ references:
   restore-npm-cache: &restore-npm-cache
     name: 'Restore npm cache'
     keys:
-      - v{{ .Environment.GLOBAL_CACHE_PREFIX }}-v3-npm-modules-{{ checksum ".nvmrc" }}-{{ checksum "npm-shrinkwrap.json" }}
+      - v{{ .Environment.GLOBAL_CACHE_PREFIX }}-v3-npm-modules-{{ checksum ".nvmrc" }}-{{ checksum "package-lock.json" }}
       - v{{ .Environment.GLOBAL_CACHE_PREFIX }}-v3-npm-modules-{{ checksum ".nvmrc" }}
 
   npm-install: &npm-install
@@ -124,7 +124,7 @@ references:
 
   save-npm-cache: &save-npm-cache
     name: 'Save node_modules cache'
-    key: v{{ .Environment.GLOBAL_CACHE_PREFIX }}-v3-npm-modules-{{ checksum ".nvmrc" }}-{{ checksum "npm-shrinkwrap.json" }}
+    key: v{{ .Environment.GLOBAL_CACHE_PREFIX }}-v3-npm-modules-{{ checksum ".nvmrc" }}-{{ checksum "package-lock.json" }}
     paths:
       - ~/.npm
   npm-e2e-install: &npm-e2e-install

.gitattributes

@@ -1,3 +1,2 @@
 package-lock.json merge=npm-merge-driver
-npm-shrinkwrap.json merge=npm-merge-driver
 *.js linguist-language=JSX

Dockerfile

@@ -23,9 +23,9 @@ RUN        bash /tmp/env-config.sh
 # Build a node_modules layer
 #
 # This one builds out our node_modules tree. Since we use
-# file: references, we have to copy over our 
+# file: references, we have to copy over our
 # package.json, lockfiles, and the contents of packages/*
-COPY package.json npm-shrinkwrap.json /calypso/
+COPY package.json package-lock.json /calypso/
 COPY packages /calypso/packages
 RUN npm ci
 

bin/install-if-deps-outdated.js

@@ -4,8 +4,8 @@
  * Performs an `npm install`. Since that's a costly operation,
  * it will only perform it if needed, that is, if the packages
  * installed at `node_modules` aren't in sync over what
- * `npm-shrinkwrap.json` has. For that, modification times of both
- * files will be compared. If the shrinkwrap is newer, it means that
+ * `package-lock.json` has. For that, modification times of both
+ * files will be compared. If the lockfile is newer, it means that
  * the packages at node_modules may be outdated. That will happen,
  * for example, when switching branches.
  *
@@ -21,9 +21,7 @@ const needsInstall = () => {
 	try {
 		let lockfileTime = 0;
 		const packageDir = path.dirname( '.' );
-		if ( fs.existsSync( path.resolve( packageDir, 'npm-shrinkwrap.json' ) ) ) {
-			lockfileTime = fs.statSync( path.join( packageDir, 'npm-shrinkwrap.json' ) ).mtime;
-		} else if ( fs.existsSync( path.join( packageDir, 'package-lock.json' ) ) ) {
+		if ( fs.existsSync( path.join( packageDir, 'package-lock.json' ) ) ) {
 			lockfileTime = fs.statSync( path.join( packageDir, 'package-lock.json' ) ).mtime;
 		}
 

docs/lockfile.md

@@ -0,0 +1,26 @@
+NPM Lockfile
+============
+
+We use [`package-lock.json`](https://github.com/Automattic/wp-calypso/blob/master/package-lock.json)
+to lock down our dependency versions. This allows us to freeze all dependencies at the
+exact version we have installed in our node_modules.
+
+## Generating The Lockfile
+
+If you don't edit `package.json` directly, you shouldn't need to do anything. For example, if you run `npm install --save left-pad`,
+the `package-lock.json` file will be updated automatically.
+
+If you edit `package.json` manually, or you want to bump all our transitive dependencies to their most recent version,
+you'll need to run `npm run update-deps` (that will take a while). Internally, the script does the following:
+- Deletes local `node_modules` folders in all packages
+- Deletes your local copy of `package-lock.json`
+- Runs `npm install`
+- Makes sure that all URLs in `resolved` fields are HTTPS. For some reason, NPM sometimes resolves packages from HTTP URLs
+
+## Testing
+
+To verify that the new `package-lock.json` works:
+
+- Run `npm run distclean` to delete local `node_modules`
+- Run `npm ci`
+- Verify that Calypso works as expected and that tests pass