fix: skip npm self-upgrade when version unspecified#90
Open
Conversation
The shared install-deps action runs `npm i -g npm@latest` unconditionally, which currently fails on Node 22 with `Cannot find module 'promise-retry'` (npm/cli#9151). This breaks every consumer that uses the default `npm-version` value, and v5.0.10 is byte-identical to v5.0.4 so consumers can't bump out of it. Switch the default to empty string and gate the upgrade step on `inputs.npm-version != ''`. Empty means "use the npm bundled with the selected node version". Explicit pins (e.g. '10.9.7') continue to work unchanged. Consumers that explicitly set 'latest' still get the broken behavior — they asked for it. Also bumps the internal install-deps ref in nodejs-{lint,test,build}.yaml from v5.0.4/v4.1.1 to v5.0.11 so the new default actually reaches consumers when they bump their caller tag.
sdh100shaun
requested review from
Copilot and
sdh100shaun
and removed request for
Copilot
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The shared
install-depscomposite action runsnpm i -g npm@latestunconditionally on every job. This currently fails on Node 22 with:Tracked upstream as npm/cli#9151. Open with no fix or ETA.
Impact: every DVSA Node CI pipeline that uses
nodejs-lint.yaml/nodejs-test.yaml/nodejs-build.yamlwithout setting an explicitnpm-versionhas been red since ~2026-03-04. v5.0.10 is byte-identical to v5.0.4 forinstall-deps/action.yaml, so consumers cannot escape by bumping their caller tag.Approach
npm-versionfrom'latest'to''npm i -gstep withif: inputs.npm-version != '''10.9.7') are unchanged'latest'still gets the upgrade attempt; that's an explicit ask we honorThe three reusable workflows (
nodejs-{lint,test,build}.yaml) also get their internalinstall-deps@vX.Y.Zpin bumped tov5.0.11so that consumers who bump their caller tag actually pick up the fix. Forward-referencingv5.0.11is fine because action refs resolve at run time, not commit time — once the tag is cut on the merge commit the references resolve consistently.Behavior matrix
npm-versionsetlatestis brokennpm-version: '10.9.7'npm-version: 'latest'(explicit)npm-version: ''npm@)The only behavior change is for consumers relying on the old
latestdefault — and they're currently red anyway, so "change" = "unbroken".Release / rollout
After merge, this commit needs to be tagged v5.0.11 for the forward refs in the workflows to resolve. Consumers can then bump their caller (e.g.
nodejs-lint.yaml@v5.0.10→@v5.0.11) and stop hitting the regression.Test plan
v5.0.11on the merge commitdvsa/inr-erru-middlewarePR #293 after bumping its caller tag to@v5.0.11— confirmlintandtestjobs go green