Skip to content

fix(ci): pin npm to 11.12.1 via packageManager field#2416

Merged
LeighFinegold merged 1 commit intofinos:mainfrom
rocketstack-matt:fix/2415-renovate-npm-version
May 5, 2026
Merged

fix(ci): pin npm to 11.12.1 via packageManager field#2416
LeighFinegold merged 1 commit intofinos:mainfrom
rocketstack-matt:fix/2415-renovate-npm-version

Conversation

@rocketstack-matt
Copy link
Copy Markdown
Member

@rocketstack-matt rocketstack-matt commented May 4, 2026
edited
Loading

Description

Adds "packageManager": "npm@11.12.1" to the root package.json so Renovate's hosted runner uses npm 11 when regenerating the workspace lockfile.

Closes #2415.

Sequencing: depends on #2414 landing first (CI Node 24 / npm 11). Once #2414 merges this is purely additive — only the workspace package.json gains one field.

Why

Renovate currently uses npm 10 by default and raises EOVERRIDE when re-resolving the tree against the dompurify: ^3.4.0 override (and will eventually do the same for any other caret-range entry in overrides). The regen aborts; Renovate ships the unrelated package.json updates with a stale package-lock.json; CI fails on npm ci. Most recent breakage: #2410.

npm 11.5+ handles the same scenario without erroring — verified locally that npm install against PR #2410's head with npm 11.12.1 produces a clean lockfile in ~15 seconds.

packageManager is the Corepack-standard signal and is what Renovate's hosted runner reads to pick its npm version. CI is unaffected by this field — the workflows call npm from actions/setup-node and don't run corepack enable, so they keep using whatever npm ships with the configured Node (npm 11 from Node 24 once #2414 lands). Local dev only sees the pinned npm if the contributor opts into Corepack. The alternative (renovate.json constraints.npm) would also fix Renovate, but packageManager is the more standard and tooling-friendly signal.

Type of Change

  • 🐛 Bug fix (non-breaking change which fixes an issue)
  • ✨ New feature (non-breaking change which adds functionality)
  • 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • 📚 Documentation update
  • 🎨 Code style/formatting changes
  • ♻️ Refactoring (no functional changes)
  • ⚡ Performance improvements
  • ✅ Test additions or updates
  • 🔧 Chore (maintenance, dependencies, CI, etc.)

Affected Components

  • CLI (cli/)
  • Schema (calm/)
  • CALM AI (calm-ai/)
  • CALM Hub (calm-hub/)
  • CALM Hub UI (calm-hub-ui/)
  • CALM Server (calm-server/)
  • CALM Widgets (calm-widgets/)
  • Documentation (docs/)
  • Shared (shared/)
  • VS Code Extension (calm-plugins/vscode/)
  • Dependencies
  • CI/CD

Testing

  • I have tested my changes locally
  • I have added/updated unit tests
  • All existing tests pass

Local verification: npm install against PR #2410's head with npm 11.12.1 produces a clean lockfile diff and no EOVERRIDE. Once this PR merges, the next Renovate patch-update PR is the real test — its npm ci step should pass.

Checklist

  • My commits follow the conventional commit format
  • I have updated documentation if necessary
  • I have added tests for my changes (if applicable)
  • My changes follow the project's coding standards

@rocketstack-matt
fix(ci): pin npm to 11.12.1 via packageManager field
f2fd6fc 
Renovate's hosted runner uses npm 10 by default, which raises EOVERRIDE
when re-resolving the workspace tree against the dompurify override
(`^3.4.0`) and other caret-range overrides. The lockfile regen step
then aborts and Renovate ships package.json updates with a stale
package-lock.json, breaking every npm-based CI job on the resulting PR.

npm 11.5+ handles the same overrides scenario without erroring. Adding
`packageManager: npm@11.12.1` is the standard Corepack-honored signal
to pick a specific npm; Renovate respects it, and it also pins local
dev and any non-explicit CI step onto the same npm so all three stay
aligned.

Closes finos#2415. Sequenced after finos#2414 (CI Node 24 / npm 11).
@rocketstack-matt rocketstack-matt requested a review from a team as a code owner May 4, 2026 20:22
Copilot AI review requested due to automatic review settings May 4, 2026 20:22
@github-actions github-actions Bot added the config label May 4, 2026
Copilot AI reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins the root npm version via the packageManager field so Renovate uses npm 11 when regenerating the workspace lockfile. In this monorepo, that targets the root npm workspace dependency flow intended to avoid stale package-lock.json updates on Renovate PRs.

Changes:

  • Adds packageManager: "npm@11.12.1" to the root workspace package.json.
  • Leaves the rest of the root npm workspace configuration unchanged.
  • Attempts to centralize npm version selection for Renovate-driven lockfile regeneration.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
Comment thread package.json
@LeighFinegold LeighFinegold merged commit cf9dfdf into finos:main May 5, 2026
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@LeighFinegold LeighFinegold LeighFinegold approved these changes

Assignees

No one assigned

Labels

config

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Renovate patch-update PRs ship out-of-sync package-lock.json (npm 10 EOVERRIDE)

3 participants

@rocketstack-matt @LeighFinegold