Skip to content

Pin npm and node versions to ensure consistent updates with dependabot #808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
maureenlholland wants to merge 5 commits into from
Closed

Pin npm and node versions to ensure consistent updates with dependabot #808

maureenlholland wants to merge 5 commits into from

Conversation

@maureenlholland
Copy link
Collaborator

@maureenlholland maureenlholland commented Dec 1, 2025
edited
Loading

One-line summary

Same update as mozilla/bedrock#16906

Significant changes and points to review

Issue / Bugzilla link

Peer fields were added in Dependabot package-lock update: #806
These fields were being removed in local npm install steps. This is likely due to a mismatch in npm versions (although it is hard to diagnose as the peer field is not documented in npm, yet it is in npm GitHub PRs)

Testing

Run npm install locally and confirm the lock file does not add peer: true fields

Node upgrade tests: confirm the following run without error or noise

  • make build
  • make run

Integration test run 🟢 : https://github.com/mozmeao/springfield/actions/runs/20097490260

Environment details
  node: v24.11.1
  npm: 11.6.2
  yarn: 1.22.22

@maureenlholland maureenlholland marked this pull request as draft December 1, 2025 16:37
@maureenlholland maureenlholland marked this pull request as ready for review December 1, 2025 18:10
janbrasna
janbrasna reviewed Dec 1, 2025
View reviewed changes
Copy link
Collaborator

@janbrasna janbrasna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Somewhat surprisingly, here yet another version is being used in the build:

package.json
"description": "You can have all the money in the world, but there’s one thing you will never have — a dinosaur.",
"private": true,
"engines": {
"node": "^24.0.0",
Copy link
Collaborator

@janbrasna janbrasna Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Springfield (unlike bedrock's Node 20) builds using Node 22: 🤷

springfield/Dockerfile

Line 24 in 28f9af5

FROM node:22.15.0-slim AS assets

@maureenlholland
Update node to v24
ee3f732 
Uses bookworm slim docker image
@janbrasna
Copy link
Collaborator

janbrasna commented Dec 2, 2025

The issue is Dependabot started "guessing" npm here as npm@11 after they added its support — and using a version in the middle of their peer prune dumpster fire as its cli to submit PRs, introducing dirty lockfiles:/

This would normally resolve itself over time when they start using the latest patch version, but they're stuck on a few back now:/ however luckily they take the engines field as a hard constraint (unlike your local CLI where it only advises warnings or error messages when consumed as a dependency on an incompatible runtime; but won't enforce any runtime versions on its own…) so either pinning 10.x, 11.5- or 11.6.4+ should do the trick.

@janbrasna
Copy link
Collaborator

janbrasna commented Dec 2, 2025

What I wanted to say is fixing this actual issue is not directly/necessarily related to a Node 24 update, but it's nice to have anyway. (I'll post more details in the upstream review.)

janbrasna
janbrasna reviewed Dec 2, 2025
View reviewed changes
Dockerfile
# assets builder and dev server
#
FROM node:22.15.0-slim AS assets
FROM node:24-slim AS assets
Copy link
Collaborator

@janbrasna janbrasna Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm also adding more details about the hard pin version rationale in a tracking ticket:

@maureenlholland maureenlholland marked this pull request as draft December 10, 2025 17:22
@maureenlholland
Copy link
Collaborator Author

maureenlholland commented Dec 15, 2025

mozilla/bedrock#16906 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@janbrasna janbrasna janbrasna left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@maureenlholland @janbrasna