Skip to content

chore: restore package-lock.json and use npm ci in CI#941

Merged
yogeshchoudhary147 merged 2 commits into
mainfrom
restore-package-lock
Jul 17, 2026
Merged

chore: restore package-lock.json and use npm ci in CI#941
yogeshchoudhary147 merged 2 commits into
mainfrom
restore-package-lock

Conversation

@yogeshchoudhary147

@yogeshchoudhary147 yogeshchoudhary147 commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds omit-lockfile-registry-resolved=true to .npmrc so internal registry URLs are stripped from the lockfile before commit
  • Removes package-lock.json from .gitignore and restores it to version control for deterministic installs
  • Pins actions/setup-node to a SHA and adds cache: npm across all workflows
  • Replaces npm i with npm ci in all CI jobs to ensure installs match the lockfile exactly

Summary by CodeRabbit

  • Build & Reliability

    • Switched dependency installation from npm i to npm ci across build, tests, publishing, security checks, and cross-browser runs for more consistent results.
    • Enabled npm caching to speed up CI workflows.
    • Pinned the Node.js setup action to a fixed version for improved reliability.
  • Configuration

    • Allow tracking of package-lock.json by removing the ignore rule.
    • Updated npm settings to better control lockfile metadata output.
    • Snyk now uses a defined Node.js version during setup.

@yogeshchoudhary147
yogeshchoudhary147 requested a review from a team as a code owner July 15, 2026 01:32
@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: b6220e32-a3f3-43a5-9f4f-0945324b0018

📥 Commits

Reviewing files that changed from the base of the PR and between a327b11 and 56862fa.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (7)
  • .github/actions/build/action.yml
  • .github/actions/npm-publish/action.yml
  • .github/workflows/cross-browser.yml
  • .github/workflows/snyk.yml
  • .github/workflows/test.yml
  • .gitignore
  • .npmrc
💤 Files with no reviewable changes (1)
  • .gitignore
🚧 Files skipped from review as they are similar to previous changes (5)
  • .npmrc
  • .github/workflows/snyk.yml
  • .github/actions/build/action.yml
  • .github/workflows/test.yml
  • .github/actions/npm-publish/action.yml

📝 Walkthrough

Walkthrough

CI actions and workflows now use npm ci with npm caching. Node setup is pinned in composite actions, Snyk defines Node 22, and npm lockfile tracking and metadata settings are updated.

Changes

Node.js CI installation updates

Layer / File(s) Summary
Lockfile tracking and npm metadata
.gitignore, .npmrc
package-lock.json is no longer ignored, and npm omits registry.resolved metadata from lockfiles.
Composite action installation flow
.github/actions/build/action.yml, .github/actions/npm-publish/action.yml
Composite actions enable npm caching, use npm ci, and pin actions/setup-node in the build and publish actions.
Workflow installation flow
.github/workflows/cross-browser.yml, .github/workflows/snyk.yml, .github/workflows/test.yml
Workflow jobs enable npm caching and use npm ci; Snyk centralizes the Node version at 22.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main changes: restoring package-lock.json and switching CI installs to npm ci.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch restore-package-lock

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@semgrepcode-auth0

Copy link
Copy Markdown

Semgrep found 1 ssc-c8b7a1f2-4d36-4f0a-9e2b-1a5c8d7e6f30 finding:

Risk: Affected versions of vite and vite-plus are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor / Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). Vite's server.fs.deny blocklist—which protects sensitive files such as .env and certificate files from being served—can be bypassed on Windows using alternate path representations (NTFS Alternate Data Stream syntax like /.env::$DATA?raw, or 8.3 short filenames), allowing an attacker to read otherwise-denied files when the dev server is exposed to the network.

Manual Review Advice: A vulnerability from this advisory is reachable if you expose the Vite dev server or vite-plus to the network by configuring a non-loopback address using the --host CLI flag on Windows

Fix: Upgrade this library to at least version 6.4.3 at auth0-angular/package-lock.json:21361.

Reference(s): GHSA-fx2h-pf6j-xcff

Semgrep found 1 ssc-1a0f4ed6-c2fe-47ec-b275-9bdc1073cf2e finding:

Risk: Affected versions of @babel/plugin-transform-modules-systemjs are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') / Improper Control of Generation of Code ('Code Injection'). @babel/plugin-transform-modules-systemjs mishandles module string specifiers when compiling code into SystemJS module form. An attacker who can supply specially crafted source code to a Babel build that uses this plugin (directly, or transitively via @babel/preset-env configured with modules: "systemjs") can cause Babel to emit output that executes arbitrary JavaScript when the compiled bundle is loaded.

Manual Review Advice: A vulnerability from this advisory is reachable if you install @babel/plugin-transform-modules-systemjs plugin through cli, or use @babel/preset-env preset with modules set to "systemjs"

Fix: Upgrade this library to at least version 7.29.4 at auth0-angular/package-lock.json:2735.

Reference(s): GHSA-fv7c-fp4j-7gwp, CVE-2026-44728

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/actions/npm-publish/action.yml:
- Around line 31-34: Update the npm installation step in the npm publish action
to use a version that is published and available from the registry, or remove
the upgrade and rely on the bundled npm. Preserve the step’s purpose of
providing a working npm version for publishing.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 39ad342c-1c11-4510-9c9b-898b286ab4e4

📥 Commits

Reviewing files that changed from the base of the PR and between 4722c1b and a327b11.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (7)
  • .github/actions/build/action.yml
  • .github/actions/npm-publish/action.yml
  • .github/workflows/cross-browser.yml
  • .github/workflows/snyk.yml
  • .github/workflows/test.yml
  • .gitignore
  • .npmrc
💤 Files with no reviewable changes (1)
  • .gitignore

Comment thread .github/actions/npm-publish/action.yml
- Add omit-lockfile-registry-resolved=true to .npmrc to strip internal registry URLs from lockfile
- Un-ignore package-lock.json so it is tracked in version control
- Pin actions/setup-node to SHA and add cache: npm across all workflows
- Replace npm i with npm ci for deterministic installs
@gyaneshgouraw-okta

Copy link
Copy Markdown
Contributor

@yogeshchoudhary147 Please do review the snyk failure also. I understand it might not be due to changes in this PR but worth noting and taking an action item.

@yogeshchoudhary147
yogeshchoudhary147 merged commit fddc60d into main Jul 17, 2026
12 of 13 checks passed
@yogeshchoudhary147
yogeshchoudhary147 deleted the restore-package-lock branch July 17, 2026 07:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants