Skip to content

fix(ci): replace npm install with npm ci in all workflows#257

Merged
MattDevy merged 1 commit into
mainfrom
claude/optimistic-shannon-43b176
Apr 30, 2026
Merged

fix(ci): replace npm install with npm ci in all workflows#257
MattDevy merged 1 commit into
mainfrom
claude/optimistic-shannon-43b176

Conversation

@MattDevy
Copy link
Copy Markdown
Contributor

@MattDevy MattDevy commented Apr 30, 2026

Summary

  • Replaces all bare npm install calls in CI/release workflows with npm ci
  • Covers 4 occurrences: test-node, license-header, notice-file (ci.yml), and the release publish step (release.yml)
  • npm ci enforces exact lockfile resolution and fails on drift; npm install can silently rewrite package-lock.json and pick up drifted transitive deps

Fixes #238 (ECLI-001 from Infosec review)

Test plan

  • Verify CI passes on this PR (the npm ci calls succeed with the existing lockfile)
  • Confirm no remaining npm install in .github/workflows/

@MattDevy
fix(ci): replace npm install with npm ci in all workflows
65e7092 
Enforces lockfile integrity across test-node, license-header,
notice-file (ci.yml) and the release publish job (release.yml).
npm ci fails on lockfile drift; npm install can silently rewrite
package-lock.json and resolve drifted transitive deps.

Fixes #238
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 30, 2026

MegaLinter analysis: Success

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ ACTION actionlint 2 0 0 0.09s
✅ COPYPASTE jscpd yes no no 8.16s
✅ REPOSITORY gitleaks yes no no 78.0s
✅ REPOSITORY git_diff yes no no 0.46s
✅ REPOSITORY secretlint yes no no 12.0s
✅ REPOSITORY trivy yes no no 19.52s
✅ YAML yamllint 2 0 0 0.74s

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

@MattDevy MattDevy merged commit c6beb33 into main Apr 30, 2026
18 checks passed
@MattDevy MattDevy deleted the claude/optimistic-shannon-43b176 branch April 30, 2026 15:25
@elastic-vault-github-plugin-prod elastic-vault-github-plugin-prod Bot mentioned this pull request Apr 30, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JoshMock JoshMock Awaiting requested review from JoshMock

@ssh-esh ssh-esh Awaiting requested review from ssh-esh

1 more reviewer

@margaretjgu margaretjgu margaretjgu approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Infosec ECLI-001: use npm ci

2 participants

@MattDevy @margaretjgu