Deferred from PR #1163 review.
Original reviewer comment: #1163 (comment)
Context: Greptile noted that the CI parity job's binary mapping references @optave/codegraph-linux-arm64-musl, and suggested adding it to EXPECTED_LIBC in scripts/verify-lockfile-libc.mjs for future-proofing. However, the package is not currently listed in package.json's optionalDependencies, so it is not present in package-lock.json. The current verifier treats a missing entry as a failure, so adding arm64-musl to EXPECTED_LIBC today would immediately break CI.
When (and only when) @optave/codegraph-linux-arm64-musl is published and added to optionalDependencies (matching the existing parity-job mapping), this verifier should be extended with:
'@optave/codegraph-linux-arm64-musl': 'musl',
so the same npm 11 strip-regression guard covers it.
If we want the guard to be future-proof now, an alternative is to relax the missing from package-lock.json branch to a no-op (skip, with a warning) so unpublished packages don't fail the check. That is a behavioral change worth its own design decision rather than bundling into the current fix-and-guard PR.
Deferred from PR #1163 review.
Original reviewer comment: #1163 (comment)
Context: Greptile noted that the CI parity job's binary mapping references
@optave/codegraph-linux-arm64-musl, and suggested adding it toEXPECTED_LIBCinscripts/verify-lockfile-libc.mjsfor future-proofing. However, the package is not currently listed inpackage.json'soptionalDependencies, so it is not present inpackage-lock.json. The current verifier treats a missing entry as a failure, so addingarm64-musltoEXPECTED_LIBCtoday would immediately break CI.When (and only when)
@optave/codegraph-linux-arm64-muslis published and added tooptionalDependencies(matching the existing parity-job mapping), this verifier should be extended with:so the same npm 11 strip-regression guard covers it.
If we want the guard to be future-proof now, an alternative is to relax the
missing from package-lock.jsonbranch to a no-op (skip, with a warning) so unpublished packages don't fail the check. That is a behavioral change worth its own design decision rather than bundling into the current fix-and-guard PR.