Skip to content

Fix npm package lockfile #1787

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lfdebrux merged 1 commit into from
Dec 12, 2025
Merged

Fix npm package lockfile #1787

lfdebrux merged 1 commit into from
Dec 12, 2025

Conversation

@lfdebrux
Copy link
Member

@lfdebrux lfdebrux commented Dec 11, 2025
edited
Loading

What problem does this pull request solve?

There was a bug in npm v11.6.0 and prior that would mark dependencies as peer dependencies incorrectly (see npm/cli#8579). This was fixed in v11.6.1 (see the npm changelog, but it seems that at some point our package lockfile was updated with incorrectly marked peer dependencies, and now when we run npm install on our machines with the latest version of npm it updates the package lockfile to remove the marks, leading to noise in git.

This commit updates the package lockfile with the (hopefully) correct peer dependency marks.

I don't think we need to worry about Dependabot changing things back, as looking at the logs of a recent Dependabot run it looks like that is now using npm v11.6.2.

Note

Note to devs: if you find your local machine adding peer: true to the package lockfiles (and not making any other changes), make sure to run npm install -g npm@latest if running Node locally, and/or docker compose build --no-cache if using Docker Compose.

Things to consider when reviewing

  • Ensure that you consider the wider context.
  • Does it work when run on your machine?
  • Is it clear what the code is doing?
  • Do the commit messages explain why the changes were made?
  • Are there all the unit tests needed?
  • Do the end to end tests need updating before these changes will pass?
  • Has all relevant documentation been updated?

@github-actions
Copy link
Contributor

github-actions bot commented Dec 11, 2025

🎉 A review copy of this PR has been deployed! It is made of up two components

  1. A review copy of forms-runner
  2. A production copy of forms-admin

Important

Not all of the functionality of forms-runner is present in review apps.
Functionality such as sending emails, file upload, and S3 submission types are
deliberately disabled for the sake of simplifying review apps.

You should use the full dev environment to test the functionality which is disabled here.

It may take 5 minutes or so for the application to be fully deployed and working. If it still isn't ready
after 5 minutes, there may be something wrong with the ECS task. You will need to go to the integration AWS account
to debug, or otherwise ask an infrastructure person.

For the sign in details and more information, see the review apps wiki page.

@lfdebrux
Fix npm package lockfile
e843d2f 
There was a bug in npm v11.6.0 and prior that would mark dependencies as
peer dependencies incorrectly (see
npm/cli#8579). This was fixed in v11.6.1 (see
the [npm changelog], but it seems that at some point our package
lockfile was updated with incorrectly marked peer dependencies, and now
when we run `npm install` on our machines with the latest version of npm
it updates the package lockfile to remove the marks, leading to noise in
git.

This commit updates the package lockfile with the (hopefully) correct
peer dependency marks.

I don't think we need to worry about Dependabot changing things back, as
looking at the logs of a [recent Dependabot run] it looks like that is
now using npm v11.6.2.

[npm changelog]: https://github.com/npm/cli/blob/latest/CHANGELOG.md#1161-2025-09-23
[recent Dependabot run]: https://github.com/alphagov/forms-runner/actions/runs/20049289324/job/57501554830
@lfdebrux lfdebrux force-pushed the ldeb-fix-package-lock-peer-true branch from f03d73b to e843d2f Compare December 12, 2025 08:04
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 12, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@lfdebrux lfdebrux enabled auto-merge December 12, 2025 08:05
@lfdebrux lfdebrux merged commit 2ad0e0a into main Dec 12, 2025
4 of 5 checks passed
@lfdebrux lfdebrux deleted the ldeb-fix-package-lock-peer-true branch December 12, 2025 08:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DavidBiddle DavidBiddle DavidBiddle approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lfdebrux @DavidBiddle