chore: pinning weave dependency

[chance-wnb]

pin an exact version of the weave npm dependency.

[chance-wnb]

• chore: pinning weave dependency #24 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[najaadd]

npm install is lockfile-aware and verifies downloaded tarballs, but it can update the lockfile and is not fail-closed when package.json and package-lock.json diverge.

For CI, npm ci is the safer choice because it requires the lockfile to match, removes existing node_modules, and never writes the lockfile.

Also, since this is primarily consumed via npm install -g, the repo’s package-lock.json does not protect end users anyway, because package-lock.json is not published. If you want stronger supply-chain security for the published CLI, provenance on the npm package would be better!

[chance-wnb]

If you want stronger supply-chain security for the published CLI, provenance on the npm package would be better!

Thanks, it seems the ask is to add "provenance on the npm package". AFAIK, this can only be properly done if the repository is public. I will do such after the repository can be open to public.