Skip to content

CI: repair Dependabot lockfiles before npm ci#6

Merged
tomconroy merged 2 commits into
mainfrom
ci/dependabot-lockfile-repair
Jul 13, 2026
Merged

CI: repair Dependabot lockfiles before npm ci#6
tomconroy merged 2 commits into
mainfrom
ci/dependabot-lockfile-repair

Conversation

@tomconroy

@tomconroy tomconroy commented Jul 13, 2026

Copy link
Copy Markdown
Member

Dependabot regenerates package-lock.json with npm 11, which omits nested entries npm 10 requires for optional peer deps whose hoisted version is too old. npm ci on node 22 then fails with Missing: <pkg> from lock file — this is what broke the fontdue-js 3.0.6 bumps in example-tanstack (#5) and next-template (#19); this repo passed only because its current tree happens not to need such entries, and any future bump could flip that.

The new build step (Dependabot PRs only) regenerates the lockfile with the runner's npm 10 and pushes the repair to the PR branch; the result is valid under both npm 10 and npm 11 (verified locally both ways on the failing repos). It is a no-op when the lockfile is already fine.

Same change as fontdue/next-template#20, minus the eject bits.

🤖 Generated with Claude Code


Update: now also gates the automerge job to github.repository_owner == 'fontdue'. These are public template repos — clones inherit .github/ wholesale and Dependabot activates automatically on push, so without the gate a client repo would get unattended squash-merges to its main (gated only by a build that runs against example.fontdue.xyz, and many client sites auto-deploy from main). Clones still get the update PRs and the build check; the comment in the workflow tells template users how to opt in deliberately.

Dependabot regenerates package-lock.json with npm 11, which omits nested
entries npm 10 requires for optional peer deps whose hoisted version is
too old. npm ci on node 22 then fails with EUSAGE 'Missing: <pkg> from
lock file' (this broke the fontdue-js 3.0.6 bump in example-tanstack and
next-template). The new build step regenerates the lockfile with the
runner's npm 10 -- valid under both npm 10 and 11 -- and pushes the fix
to the Dependabot branch. No-op when the lockfile is already fine.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@netlify

netlify Bot commented Jul 13, 2026

Copy link
Copy Markdown

Deploy Preview for fontdue-example-react-router ready!

Name Link
🔨 Latest commit 2e60c3c
🔍 Latest deploy log https://app.netlify.com/projects/fontdue-example-react-router/deploys/6a554d610b049300084059db
😎 Deploy Preview https://deploy-preview-6--fontdue-example-react-router.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

These repos are public templates -- anyone who clones one inherits
.github/ wholesale, and Dependabot activates automatically on push. That
was fine for the update PRs and the build check, but automerge would also
squash-merge fontdue-js bumps into a client's main unattended. The
repository_owner check scopes unattended merges to our org; the comment
tells template users how to opt in deliberately.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@tomconroy tomconroy marked this pull request as ready for review July 13, 2026 20:46
@tomconroy tomconroy merged commit fe22855 into main Jul 13, 2026
6 checks passed
@tomconroy tomconroy deleted the ci/dependabot-lockfile-repair branch July 13, 2026 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant