lockfileVersion: 3 and Node 14

[gr2m]

Follow up to https://twitter.com/rarkins/status/1595136651734708234

At @octokit, we recently started to get CI fails on pull requests created by @renovate because it updated the lockfileVersion in the package-lock.json files to 3, which is not supported by the npm version that is shipped by default with latest Node 14. Node 14 is still maintained until end of April 2022, so we try to keep testing with it until then.

The workaround we came up with is to install the latest version of npm when testing in Node 14.

   test_matrix:
     runs-on: ubuntu-latest
     strategy:
       matrix:
         node_version:
           - 14
           - 16
           - 18
     steps:
       - uses: actions/checkout@v3
       - name: Use Node.js ${{ matrix.node_version }}
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node_version }}
           cache: npm
+      - run: npm install --global npm
+        if: ${{ matrix.node_version == 14 }}
       - run: npm ci
       - run: npm test

That approach is working as confirmed via octokit/app.js#364.

We wondered if you have any thoughts and suggestions on how to handle the sudden lockfileVersion bump in Renovate's pull requests?

[rarkins]

When constraints are unspecified, Renovate installs the latest stable version available, which at the moment means node v18 and npm v9.

I have some ideas for improving the intelligence of this in the medium term, but I'll create some feature requests for those separately.

As you have a centralized config, you could fix this yourself by adding this to https://github.com/octokit/.github/blob/master/default.json:

  "constraints": {
    "npm": "<9"
  }

[rarkins]

Related:

• npm: detect lock file v2 and v3 #19045
• Default npm to use default version from node #19044

[rarkins]

I think/hope you won't need to make any config changes once #19046 is merged and live, as it will mean npm v8 is selected for repos which have an existing v2 lock file.