tidy: use a lockfile for js tools instead of npx

this makes us less vulnerable to MITM and supply chain attacks.

it also means that the CI scripts are no longer responsible for
tracking the versions of these tools.

it should also avoid the situation where local tsc and CI
disagree on the presense of errors due to them being different versions.

Author: lolbinarycat

.gitignore

@@ -85,8 +85,6 @@ __pycache__/
 
 ## Node
 node_modules
-package-lock.json
-package.json
 /src/doc/rustc-dev-guide/mermaid.min.js
 
 ## Rustdoc GUI tests

src/ci/docker/host-x86_64/mingw-check-1/Dockerfile

@@ -27,10 +27,6 @@ COPY scripts/nodejs.sh /scripts/
 RUN sh /scripts/nodejs.sh /node
 ENV PATH="/node/bin:${PATH}"
 
-# Install es-check
-# Pin its version to prevent unrelated CI failures due to future es-check versions.
-RUN npm install es-check@6.1.1 eslint@8.6.0 typescript@5.7.3 -g
-
 COPY scripts/sccache.sh /scripts/
 RUN sh /scripts/sccache.sh
 

src/tools/tidy/src/ext_tool_checks.rs

@@ -248,6 +248,10 @@ fn check_impl(
         shellcheck_runner(&merge_args(&cfg_args, &file_args_shc))?;
     }
 
+    if js_lint || js_typecheck || js_es_check {
+        rustdoc_js::npm_install()?;
+    }
+
     if js_lint {
         rustdoc_js::lint(librustdoc_path, tools_path, src_path)?;
     }

src/tools/tidy/src/ext_tool_checks/rustdoc_js.rs

@@ -9,6 +9,25 @@ use ignore::DirEntry;
 
 use crate::walk::walk_no_read;
 
+/// install all js dependencies from package.json.
+pub(super) fn npm_install() -> Result<(), super::Error> {
+    // disable a bunch of things we don't want.
+    // this makes tidy output less noisy, and also significantly improves runtime
+    // of repeated tidy invokations.
+    let mut child = Command::new("npm")
+        .args(&["install", "--audit=false", "--save=false", "--fund=false"])
+        .spawn()?;
+    match child.wait() {
+        Ok(exit_status) => {
+            if exit_status.success() {
+                return Ok(());
+            }
+            Err(super::Error::FailedCheck("npm install failed"))
+        }
+        Err(error) => Err(super::Error::Generic(format!("npm install failed: {error:?}"))),
+    }
+}
+
 fn rustdoc_js_files(librustdoc_path: &Path) -> Vec<PathBuf> {
     let mut files = Vec::new();
     walk_no_read(
@@ -22,8 +41,7 @@ fn rustdoc_js_files(librustdoc_path: &Path) -> Vec<PathBuf> {
 }
 
 fn run_eslint(args: &[PathBuf], config_folder: PathBuf) -> Result<(), super::Error> {
-    let mut child = Command::new("npx")
-        .arg("eslint")
+    let mut child = Command::new("node_modules/.bin/eslint")
         .arg("-c")
         .arg(config_folder.join(".eslintrc.js"))
         .args(args)
@@ -106,8 +124,7 @@ pub(super) fn lint(
 
 pub(super) fn typecheck(librustdoc_path: &Path) -> Result<(), super::Error> {
     // use npx to ensure correct version
-    let mut child = Command::new("npx")
-        .arg("tsc")
+    let mut child = Command::new("node_modules/.bin/tsc")
         .arg("-p")
         .arg(librustdoc_path.join("html/static/js/tsconfig.json"))
         .spawn()?;
@@ -124,9 +141,8 @@ pub(super) fn typecheck(librustdoc_path: &Path) -> Result<(), super::Error> {
 
 pub(super) fn es_check(librustdoc_path: &Path) -> Result<(), super::Error> {
     let files_to_check = rustdoc_js_files(librustdoc_path);
-    // use npx to ensure correct version
-    let mut cmd = Command::new("npx");
-    cmd.arg("es-check").arg("es2019");
+    let mut cmd = Command::new("node_modules/.bin/es-check");
+    cmd.arg("es2019");
     for f in files_to_check {
         cmd.arg(f);
     }