From aeaa96124cd9c93501dc0b2d4baa58dcc57a95cc Mon Sep 17 00:00:00 2001
From: Tom Byers <tombaromba@gmail.com>
Date: Tue, 14 Sep 2021 20:52:02 +0100
Subject: [PATCH] Fix node version & lock down npm version

The intention behind the version of node in the
engines property was for that version to be the
minimum required so it was always missing the `>=`
prefix.

This adds that prefix and also adds a setting for
npm, to prevent use of insecure versions. See this
article for details:

https://github.blog/2021-09-08-github-security-update-vulnerabilities-tar-npmcli-arborist/
---
 package.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 93b86a45d..c1efc35c1 100644
--- a/package.json
+++ b/package.json
@@ -3,7 +3,8 @@
   "version": "0.0.1",
   "description": "Admin front end for GOV.UK Notify",
   "engines": {
-    "node": "10.15.3"
+    "node": ">=10.15.3",
+    "npm": "6.14.15 || >= 7.21.0"
   },
   "scripts": {
     "test": "gulp lint && jest --config tests/javascripts/jest.config.js tests/javascripts",