chore(ui): pin packageManager to npm@11.6.2#2271
Merged
Charlesthebird merged 10 commits intoJul 16, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Pins the UI’s npm version via packageManager and aligns GitHub Actions Node setup with the UI’s .nvmrc to make npm ci/lockfile behavior more reproducible and reduce lockfile churn across npm versions.
Changes:
- Add
"packageManager": "npm@11.6.2"toui/package.json. - Regenerate
ui/package-lock.jsonunder npm 11.6.2 (lockfile metadata changes). - Update CI and Chromatic workflows to use
ui/.nvmrcand enable Corepack beforenpm ci.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| ui/package.json | Adds packageManager pin for npm to improve install reproducibility. |
| ui/package-lock.json | Regenerated lockfile output consistent with the pinned npm version. |
| .github/workflows/ui-chromatic.yaml | Uses .nvmrc for Node version and enables Corepack before installing UI deps. |
| .github/workflows/ci.yaml | Uses .nvmrc for Node version and enables Corepack before installing UI deps in ui-tests. |
Files not reviewed (1)
- ui/package-lock.json: Generated file
Comments suppressed due to low confidence (1)
ui/package-lock.json:983
- The PR description says the lockfile diff is “metadata-only” (peer/optional flags only), but the regenerated lockfile also removes entire optional package entries (e.g. there is no longer any
node_modules/@emnapi/coreornode_modules/@emnapi/runtimepackage record in thepackagesmap) and drops severallibcconstraints elsewhere. Please update the description accordingly and/or confirmnpm ciremains reproducible across platforms (e.g., glibc vs musl) with the new lockfile.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Charlesthebird
previously approved these changes
Jul 16, 2026
Node 24.13.0 (ui/.nvmrc) bundles npm 11.6.2. Pinning packageManager keeps npm installs reproducible and prevents package-lock.json metadata churn across npm versions. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Carlos Logroño Guerrero <carlos.logrono@solo.io>
Charlesthebird
approved these changes
Jul 16, 2026
Regenerated with the pinned npm (11.6.2) so the lockfile matches the packageManager field. Diff is metadata-only (peer/optional flags); no dependency version changes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Carlos Logroño Guerrero <carlos.logrono@solo.io>
Signed-off-by: Carlos Logroño Guerrero <carlos.logrono@solo.io>
Signed-off-by: Carlos Logroño Guerrero <carlos.logrono@solo.io>
Signed-off-by: Carlos Logroño Guerrero <carlos.logrono@solo.io>
Signed-off-by: Carlos Logroño Guerrero <carlos.logrono@solo.io>
The ui-tests job ran npm ci with the latest npm bundled in node 24.x (11.8.0), but the lock file was regenerated with the pinned npm@11.6.2, so the @emnapi optional-dep tree resolved differently and npm ci failed as out of sync. Pin Node via ui/.nvmrc and enable corepack so npm ci uses the packageManager version that generated the lock file. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Nicholas Bucher <behappy54321@gmail.com>
The wolfi-base default "npm" apk package tracks a newer npm major (12.x) whose stricter optional-dependency resolution rejects the committed package-lock.json, failing the build (ui) job with EUSAGE (missing @emnapi/* records). Derive the npm version from package.json "packageManager" (npm@11.6.2) and pin the apk npm to it, so the image resolves the lock with the same npm that generated it — no extra download, no hardcoded version, and no lock-file churn. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Nicholas Bucher <behappy54321@gmail.com>
cjlg-soloio
force-pushed
the
cjlg-soloio/pinPackageManager
branch
from
July 16, 2026 16:30
ee6f3a2 to
ef40fd0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
🤖 written by Claude (start)
Follow-up to a review comment on #2180: pins the npm version via the
packageManagerfield sonpm installis reproducible andui/package-lock.jsonstops picking up metadata churn across npm versions.ui/.nvmrcpins Node 24.13.0, which bundles npm 11.6.2 — so the field is set tonpm@11.6.2, consistent with the Node version CI already reads from.nvmrc.Files
Modified
ui/package.json— adds top-level"packageManager": "npm@11.6.2"ui/package-lock.json— regenerated under npm 11.6.2 to match the pin; metadata-only diff (peer/optionalflags), no dependency version changesTesting
Change type
chore / cleanup — dev tooling only. No product or runtime code changed.
Changelog
NONE🤖 written by Claude (end)