Skip to content

Fix lint CI: install from lockfile (npm ci) instead of lockless yarn#365

Merged
szegedi merged 1 commit into
mainfrom
fix-lint-ci-lockfile
Jul 2, 2026
Merged

Fix lint CI: install from lockfile (npm ci) instead of lockless yarn#365
szegedi merged 1 commit into
mainfrom
fix-lint-ci-lockfile

Conversation

@szegedi

@szegedi szegedi commented Jul 2, 2026

Copy link
Copy Markdown

Problem

The lint CI job runs yarn with no yarn.lock committed. Yarn ignores package-lock.json (npm's lockfile), so it resolves every dependency fresh from the package.json version ranges on each run.

prettier is not a direct dependency — it's pulled transitively via gts (prettier@^3.6.2). So CI floats to the newest prettier (currently 3.9.4), while local development pins 3.8.1 through package-lock.json.

prettier 3.9.x changed union-return-type wrapping, collapsing the leading-| multiline form that 3.8.1 emits:

// 3.8.1 (committed, passes locally)      3.9.4 (CI wants)
:                                          :
  | AllocationProfileNode                    AllocationProfileNode | AllocationProfileNodeWithStats
  | AllocationProfileNodeWithStats

Result: gts check fails in CI on heap-profiler.ts / heap-profiler-bindings.ts even though the code is correctly formatted for the pinned prettier — and the failure never reproduces locally.

Fix

Switch the install to npm ci (and the script to npm run lint) so CI uses the exact package-lock.json versions the repo is developed against. This fixes the prettier drift at the root and prevents future lockless-yarn float for every other tool in the lint chain.

Note

.github/workflows/package-size.yml uses the same lockless yarn install and has the same latent drift risk; left out of scope here since it isn't currently failing.

The lint job ran `yarn` with no `yarn.lock` in the repo, so yarn ignored
package-lock.json and resolved every dependency fresh from the
package.json ranges. prettier isn't a direct dependency — it comes in
transitively via gts (^3.6.2) — so CI floated to the newest prettier
(3.9.4), while local development pins 3.8.1 through package-lock.json.

prettier 3.9.x changed how it wraps union return types (collapsing the
leading-`|` multiline form 3.8.1 produces), so `gts check` failed in CI
on heap-profiler.ts / heap-profiler-bindings.ts even though the code was
correctly formatted for the pinned prettier — and the failure never
reproduced locally.

Switch install to `npm ci` (and the script to `npm run lint`) so CI uses
the exact package-lock.json versions the repo is developed against. This
fixes the prettier drift and prevents any future lockless-yarn float for
every other tool in the lint chain.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Overall package size

Self size: 2.4 MB
Deduped: 3.1 MB
No deduping: 3.1 MB

Dependency sizes | name | version | self size | total size | |------|---------|-----------|------------| | pprof-format | 2.2.2 | 500.53 kB | 500.53 kB | | source-map | 0.7.6 | 185.63 kB | 185.63 kB | | node-gyp-build | 4.8.4 | 13.86 kB | 13.86 kB |

🤖 This report was automatically generated by heaviest-objects-in-the-universe

@szegedi szegedi added the semver-patch Bug or security fixes, mainly label Jul 2, 2026
@szegedi szegedi enabled auto-merge (squash) July 2, 2026 15:44
@szegedi szegedi merged commit d42430b into main Jul 2, 2026
70 of 71 checks passed
@szegedi szegedi deleted the fix-lint-ci-lockfile branch July 2, 2026 16:07
szegedi added a commit that referenced this pull request Jul 2, 2026
…365)

The lint job ran `yarn` with no `yarn.lock` in the repo, so yarn ignored
package-lock.json and resolved every dependency fresh from the
package.json ranges. prettier isn't a direct dependency — it comes in
transitively via gts (^3.6.2) — so CI floated to the newest prettier
(3.9.4), while local development pins 3.8.1 through package-lock.json.

prettier 3.9.x changed how it wraps union return types (collapsing the
leading-`|` multiline form 3.8.1 produces), so `gts check` failed in CI
on heap-profiler.ts / heap-profiler-bindings.ts even though the code was
correctly formatted for the pinned prettier — and the failure never
reproduced locally.

Switch install to `npm ci` (and the script to `npm run lint`) so CI uses
the exact package-lock.json versions the repo is developed against. This
fixes the prettier drift and prevents any future lockless-yarn float for
every other tool in the lint chain.
@szegedi szegedi mentioned this pull request Jul 2, 2026
szegedi added a commit that referenced this pull request Jul 3, 2026
…365)

The lint job ran `yarn` with no `yarn.lock` in the repo, so yarn ignored
package-lock.json and resolved every dependency fresh from the
package.json ranges. prettier isn't a direct dependency — it comes in
transitively via gts (^3.6.2) — so CI floated to the newest prettier
(3.9.4), while local development pins 3.8.1 through package-lock.json.

prettier 3.9.x changed how it wraps union return types (collapsing the
leading-`|` multiline form 3.8.1 produces), so `gts check` failed in CI
on heap-profiler.ts / heap-profiler-bindings.ts even though the code was
correctly formatted for the pinned prettier — and the failure never
reproduced locally.

Switch install to `npm ci` (and the script to `npm run lint`) so CI uses
the exact package-lock.json versions the repo is developed against. This
fixes the prettier drift and prevents any future lockless-yarn float for
every other tool in the lint chain.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

semver-patch Bug or security fixes, mainly

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants