I notices some URLs in package-lock.json use HTTP instead of HTTPS. In particular:

events-1.1.1
get-stream-3.0.0
p-is-promise
sha.js
readable-stream-2.3.6
wrap-ansi

minimist-1.2.0
jsesc-0.5.0
browserify-aes-1.2.0
create-hash-1.2.0
create-hmac-1.1.7
diffie-hellman-5.0.3
parse-asn1-5.1.1
readable-stream-2.3.6

All of these are for NPM, which thoroughly supports HTTPS.

Is this adequately secure in the current threat environment of the Internet?

The file is automatically created and updated. Do you know how to configure npm to use https for those?

Did some digging, and found this: https://npm.community/t/npm-install-downgrading-resolved-packages-from-https-to-http-registry-in-package-lock-json/1818/14

This original issue is still open on GitHub: https://github.com/npm/npm/issues/20106

Apparently it’s a server-side problem. Some people are replacing the URLs locally using a script after updating the lockfile.

I have a commit (https://github.com/remotestorage/remotestorage.js/commit/4685d1aaef01299438e8c99e967bcdfff46a6078) which adds a postshrinkwrap script to avoid http/https churn in package-lock.json, but I’m still disentangling some earlier things. If anyone wants to cherry-pick that commit, go ahead.

Works like a charm! I edited the commit messsage a bit, and opened a pull request: https://github.com/remotestorage/remotestorage.js/pull/1144