Skip to content

ci: pin npm 11 to unblock Dependabot frontend PRs#271

Merged
hokiepokedad2 merged 1 commit into
mainfrom
fix/ci-pin-npm-11
May 22, 2026
Merged

ci: pin npm 11 to unblock Dependabot frontend PRs#271
hokiepokedad2 merged 1 commit into
mainfrom
fix/ci-pin-npm-11

Conversation

@hokiepokedad2
Copy link
Copy Markdown
Contributor

@hokiepokedad2 hokiepokedad2 commented May 22, 2026

Summary

Fixes CI failures on 5 open Dependabot frontend PRs (#248, #250, #256, #261, #262).

Root cause

  • CI workflow uses node-version: '22' → bundled npm 10.9.7.
  • @angular-devkit/architect and 3 sibling packages declare chokidar as an optional peer (^4.0.0). When the lockfile is generated, nested entries are written for chokidar@4.0.3 and readdirp@4.1.2 under those packages.
  • Dependabot regenerates package-lock.json with a newer npm (11.x) that prunes those nested optional-peer entries.
  • npm 10.9.7's npm ci strictly requires the entries to be present, fails with EUSAGE: Missing: chokidar@4.0.3 from lock file.

Reproduction: npm ci against any of the 5 PR head SHAs with npm 10.9.7 fails; the same checkout with npm 11.x succeeds.

Fix

Add a Pin npm 11 step in the frontend job that runs npm install -g npm@11 between setup-node and npm ci. This aligns CI's install resolution with Dependabot's so lockfiles produced by Dependabot are accepted.

Follow-up after merge

Test plan

@hokiepokedad2
ci: pin npm 11 to fix Dependabot frontend npm ci failures
982fdf0 
CI installs Node 22 which ships npm 10.9.7. That version's `npm ci`
strictly requires the nested `chokidar@4.0.3` / `readdirp@4.1.2`
entries that `@angular-devkit/*` packages declare as optional peer
deps. Dependabot regenerates `package-lock.json` with a newer npm
that prunes those entries, producing lockfiles npm 10.9.7 rejects
with EUSAGE — blocking #248, #250, #256, #261, #262.

Aligning CI to npm 11 matches Dependabot's resolution so the
post-rebase lockfile is accepted.
@github-actions github-actions Bot added the fix label May 22, 2026
@hokiepokedad2 hokiepokedad2 requested a review from Copilot May 22, 2026 13:51
Copilot AI reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the CI pipeline to align the frontend job’s npm version with the lockfiles Dependabot generates, preventing npm ci failures on Dependabot-managed frontend dependency PRs.

Changes:

  • Add a CI step in the frontend job to install npm 11 before running npm ci.
  • Document the CI/root-cause and fix in the Unreleased changelog.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
CHANGELOG.md Adds an Unreleased “Fixed” entry describing the Dependabot/lockfile npm ci failure and the CI mitigation.
.github/workflows/ci.yml Installs npm 11 in the frontend job prior to dependency installation to match Dependabot lockfile behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/ci.yml
Comment on lines +70 to +71
- name: Pin npm 11
run: npm install -g npm@11
Comment thread CHANGELOG.md
@hokiepokedad2 hokiepokedad2 merged commit 577aa52 into main May 22, 2026
9 checks passed
@hokiepokedad2 hokiepokedad2 deleted the fix/ci-pin-npm-11 branch May 22, 2026 13:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hokiepokedad2