build: drop redundant npx prefixes#334
Merged
MarshallOfSound merged 4 commits intomainfrom Mar 31, 2026
Merged
Conversation
- package.json scripts: eslint, tsc, prettier are all devDependencies, npm/yarn already resolve them from node_modules/.bin - mocha-cli.ts: spawn yarn tsx instead of npx tsx (tsx is a devDep)
CI uses npm and installs different electron versions per matrix entry, which modifies package.json and leaves yarn.lock stale. yarn tsx then fails its workspace consistency check. npx --no achieves the same thing (no registry fallback, tsx is a devDep) without yarn's lockfile check.
erickzhao
approved these changes
Mar 31, 2026
npm install defaults to --save, which rewrites package.json with the matrix electron version. That leaves yarn.lock stale, and yarn 4 checks lockfile consistency on every invocation — including yarn tsx in the spec runner. --no-save installs to node_modules without touching package.json. Reverts the previous npx --no workaround.
Member
|
Replaces the CI-time npm install electron@X with lockfile-pinned aliases (electron36 through electron40 as npm:electron@^XX). The spec runner selects which one to use via ELECTRON_PKG env var, defaulting to the base electron devDep for local runs. This reverts the --no-save workaround from the previous commit — the real fix is not fetching electron from the registry at CI time at all. Each alias has a dependenciesMeta.built: true entry so the postinstall binary download runs despite enableScripts: false. The npmPreapprovedPackages entry for 'electron' already covers the aliases (yarn checks the resolved name, not the alias). Also switches setup-node cache from 'npm' to 'yarn'.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Drops redundant
npxprefixes from package.json scripts (eslint/tsc/prettier are all devDeps) and the spec runner spawn.The spec runner change exposed a latent CI bug:
npm install "electron@${{ matrix.electron-version }}"defaults to--save, rewritingpackage.jsonon every matrix entry. The oldnpx tsxnever cared aboutyarn.lockconsistency;yarn tsxdoes, and died on the stale lockfile.Fix: lockfile-pin the matrix electron versions via
npm:aliases.spec-runner.tsnow picks the alias viaprocess.env.ELECTRON_PKG(defaults to the baseelectrondevDep for localyarn test). CI setsELECTRON_PKG: electron${{ matrix.electron-version }}and drops thenpm installstep entirely.Each alias gets a
dependenciesMeta.*.built: trueentry so the postinstall binary download runs despiteenableScripts: false. The existingnpmPreapprovedPackages: [electron]already covers the aliases — yarn checks the resolved name, not the alias.Lockfile delta: +96 lines (the 5 electron versions share their entire dep tree). Also switched setup-node
cache: npm→cache: yarn.