From 88b6a1325947a424114405487b4f74290e120250 Mon Sep 17 00:00:00 2001 From: Andy Newton Date: Mon, 13 Apr 2026 09:10:38 +0100 Subject: [PATCH] fix: skip npm self-upgrade when version unspecified MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The shared install-deps action runs `npm i -g npm@latest` unconditionally, which currently fails on Node 22 with `Cannot find module 'promise-retry'` (npm/cli#9151). This breaks every consumer that uses the default `npm-version` value, and v5.0.10 is byte-identical to v5.0.4 so consumers can't bump out of it. Switch the default to empty string and gate the upgrade step on `inputs.npm-version != ''`. Empty means "use the npm bundled with the selected node version". Explicit pins (e.g. '10.9.7') continue to work unchanged. Consumers that explicitly set 'latest' still get the broken behavior — they asked for it. Also bumps the internal install-deps ref in nodejs-{lint,test,build}.yaml from v5.0.4/v4.1.1 to v5.0.11 so the new default actually reaches consumers when they bump their caller tag. --- .github/actions/install-deps/action.yaml | 8 +++++--- .github/workflows/nodejs-build.yaml | 4 ++-- .github/workflows/nodejs-lint.yaml | 4 ++-- .github/workflows/nodejs-test.yaml | 4 ++-- README.md | 6 +++--- 5 files changed, 14 insertions(+), 12 deletions(-) diff --git a/.github/actions/install-deps/action.yaml b/.github/actions/install-deps/action.yaml index fa22c37..f20bc15 100644 --- a/.github/actions/install-deps/action.yaml +++ b/.github/actions/install-deps/action.yaml @@ -8,10 +8,10 @@ inputs: required: false default: '18.x' npm-version: - description: NPM version to be installed and used + description: NPM version to install globally before `npm ci`. Leave empty (default) to use the npm bundled with the selected node version. Set to a specific version (e.g. '10.9.7') to pin. Avoid 'latest' — it triggers npm/cli#9151 on Node 22. type: string required: false - default: 'latest' + default: '' runs: using: 'composite' @@ -21,7 +21,9 @@ runs: with: node-version: ${{ inputs.node-version }} cache: 'npm' - - run: npm i -g npm@${{ inputs.npm-version }} + - name: Upgrade npm + if: inputs.npm-version != '' + run: npm i -g npm@${{ inputs.npm-version }} shell: bash - run: node --version shell: bash diff --git a/.github/workflows/nodejs-build.yaml b/.github/workflows/nodejs-build.yaml index 78f079c..6e59e23 100644 --- a/.github/workflows/nodejs-build.yaml +++ b/.github/workflows/nodejs-build.yaml @@ -30,7 +30,7 @@ on: npm-version: type: string required: false - default: 'latest' + default: '' jobs: build: runs-on: ubuntu-latest @@ -38,7 +38,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install dependencies - uses: dvsa/.github/.github/actions/install-deps@v5.0.4 + uses: dvsa/.github/.github/actions/install-deps@v5.0.11 with: node-version: ${{ inputs.node-version }} npm-version: ${{ inputs.npm-version }} diff --git a/.github/workflows/nodejs-lint.yaml b/.github/workflows/nodejs-lint.yaml index 98b1db5..22fd447 100644 --- a/.github/workflows/nodejs-lint.yaml +++ b/.github/workflows/nodejs-lint.yaml @@ -13,7 +13,7 @@ on: npm-version: type: string required: false - default: 'latest' + default: '' biome: type: boolean required: false @@ -26,7 +26,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install dependencies - uses: dvsa/.github/.github/actions/install-deps@v5.0.4 + uses: dvsa/.github/.github/actions/install-deps@v5.0.11 with: node-version: ${{ inputs.node-version }} npm-version: ${{ inputs.npm-version }} diff --git a/.github/workflows/nodejs-test.yaml b/.github/workflows/nodejs-test.yaml index cdce100..2c4dd84 100644 --- a/.github/workflows/nodejs-test.yaml +++ b/.github/workflows/nodejs-test.yaml @@ -14,7 +14,7 @@ on: npm-version: required: false type: string - default: 'latest' + default: '' jobs: test: runs-on: ubuntu-latest @@ -22,7 +22,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install dependencies - uses: dvsa/.github/.github/actions/install-deps@v4.1.1 + uses: dvsa/.github/.github/actions/install-deps@v5.0.11 with: node-version: ${{ inputs.node-version }} npm-version: ${{ inputs.npm-version }} diff --git a/README.md b/README.md index d07045f..bd307a7 100644 --- a/README.md +++ b/README.md @@ -109,13 +109,13 @@ Publishing to NPM requires permissions and the relevant token to be stored in th - optional argument: - `max-warnings`: Sets how many warnings are allowed. Only applies when not using Biome. No default value. - `node-version`: Defines the version of NodeJS is used for actions/install-deps. Default is `20.x`. - - `npm-version`: Defines the version of NPM that is used for actions/install-deps. Default is `latest`. + - `npm-version`: Global npm version to install before `npm ci`. Default is `''` (use the npm bundled with the selected node version). Avoid `'latest'` — triggers npm/cli#9151 on Node 22. - `biome`: Boolean flag to indicate if Biome linter is being used. Default is `false`. 1. Test - optional argument: - `test-command`: Sets the command used during the Test step. Default is `npm run test`. - `node-version`: Defines the version of NodeJS is used for actions/install-deps. Default is `18.x`. - - `npm-version`: Defines the version of NPM that is used for actions/install-deps. Default is `latest`. + - `npm-version`: Global npm version to install before `npm ci`. Default is `''` (use the npm bundled with the selected node version). Avoid `'latest'` — triggers npm/cli#9151 on Node 22. 1. Security - required secret `SNYK_TOKEN` requires the organization or repo Snyk token secret - optional argument `args` allows passing in any extra args to the Snyk command. Note, the default behavior is to test all projects including all dev dependencies. If you don't want to test dev dependencies, pass in args: `--all-projects` to override the default args. @@ -130,7 +130,7 @@ Publishing to NPM requires permissions and the relevant token to be stored in th - `retention-days`: How many days to save the archive for if it's stored. (upload-artifact: `true`). Default is `7` days. - `build-command`: The command to run to build the project. Defaults to `npm run package`. - `node-version`: Defines the version of NodeJS is used for actions/install-deps. Default is `18.x`. - - `npm-version`: Defines the version of NPM that is used for actions/install-deps. Default is `latest`. + - `npm-version`: Global npm version to install before `npm ci`. Default is `''` (use the npm bundled with the selected node version). Avoid `'latest'` — triggers npm/cli#9151 on Node 22. 1. Upload to s3 Workflow downloads the archive created from the build workflow and pushes it to s3 with the commit id as a tag. Default only running on master branch. See examples before for more information.