Skip to content

CI uses npm install instead of npm ci — lockfile not enforced during builds #227

Description

@ooloth

Why

Using npm install in CI allows npm to install dependency versions that differ from package-lock.json, meaning a package that changes between the lock file commit and the CI run can silently install a different (potentially compromised) version without any build failure.

Current state

.github/workflows/ci.yml lines 11 and 25 both use:

run: npm install

npm install updates package-lock.json if it finds discrepancies and installs whatever satisfies the semver range — it does not enforce exact lockfile versions. Any dependency drift from the committed lock file goes undetected.

Ideal state

  • Both CI jobs use npm ci instead of npm install.
  • npm ci performs a clean install that exactly matches package-lock.json, fails if the lock file is missing or out of sync, and does not modify any files.
  • Dependency versions installed in CI are guaranteed to match the committed lock file.

Out of scope

  • Pinning transitive dependencies via overrides (tracked separately in the npm audit issue).
  • Migrating to a different package manager.

Starting points

  • .github/workflows/ci.yml lines 11 and 25 — the two npm install commands to replace with npm ci

QA plan

  1. Replace both npm install calls with npm ci in the workflow file.
  2. Push to a branch and observe the CI run — expect both jobs succeed.
  3. Temporarily introduce a version mismatch between package.json and package-lock.json and push — expect npm ci fails with a clear lockfile-mismatch error.

Done when

Both CI jobs use npm ci and a mismatched package-lock.json causes the CI run to fail rather than silently installing different versions.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions