CI: repair Dependabot lockfiles before npm ci#6
Merged
Conversation
Dependabot regenerates package-lock.json with npm 11, which omits nested entries npm 10 requires for optional peer deps whose hoisted version is too old. npm ci on node 22 then fails with EUSAGE 'Missing: <pkg> from lock file' (this broke the fontdue-js 3.0.6 bump in example-tanstack and next-template). The new build step regenerates the lockfile with the runner's npm 10 -- valid under both npm 10 and 11 -- and pushes the fix to the Dependabot branch. No-op when the lockfile is already fine. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
✅ Deploy Preview for fontdue-example-react-router ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
These repos are public templates -- anyone who clones one inherits .github/ wholesale, and Dependabot activates automatically on push. That was fine for the update PRs and the build check, but automerge would also squash-merge fontdue-js bumps into a client's main unattended. The repository_owner check scopes unattended merges to our org; the comment tells template users how to opt in deliberately. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dependabot regenerates
package-lock.jsonwith npm 11, which omits nested entries npm 10 requires for optional peer deps whose hoisted version is too old.npm cion node 22 then fails withMissing: <pkg> from lock file— this is what broke the fontdue-js 3.0.6 bumps in example-tanstack (#5) and next-template (#19); this repo passed only because its current tree happens not to need such entries, and any future bump could flip that.The new build step (Dependabot PRs only) regenerates the lockfile with the runner's npm 10 and pushes the repair to the PR branch; the result is valid under both npm 10 and npm 11 (verified locally both ways on the failing repos). It is a no-op when the lockfile is already fine.
Same change as fontdue/next-template#20, minus the eject bits.
🤖 Generated with Claude Code
Update: now also gates the
automergejob togithub.repository_owner == 'fontdue'. These are public template repos — clones inherit.github/wholesale and Dependabot activates automatically on push, so without the gate a client repo would get unattended squash-merges to its main (gated only by a build that runs againstexample.fontdue.xyz, and many client sites auto-deploy from main). Clones still get the update PRs and the build check; the comment in the workflow tells template users how to opt in deliberately.