From f41f1d335457b858ebdc5b5d124843efdfb6bde2 Mon Sep 17 00:00:00 2001 From: Kevin Heis Date: Wed, 22 Oct 2025 11:55:53 -0700 Subject: [PATCH] Relax package-lock lint to only check top-level dependencies (#58125) --- .github/workflows/package-lock-lint.yml | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/workflows/package-lock-lint.yml b/.github/workflows/package-lock-lint.yml index b912a11cbb..1b9581f945 100644 --- a/.github/workflows/package-lock-lint.yml +++ b/.github/workflows/package-lock-lint.yml @@ -37,6 +37,9 @@ jobs: run: | npm --version + # Save the current top-level dependencies from package-lock.json + node -e "console.log(JSON.stringify(require('./package-lock.json').packages['']))" > /tmp/before.json + # From https://docs.npmjs.com/cli/v7/commands/npm-install # # The --package-lock-only argument will only update the @@ -45,9 +48,16 @@ jobs: # npm install --package-lock-only --ignore-scripts --include=optional - # If the package.json (dependencies and devDependencies) is - # in correct sync with package-lock.json running the above command - # should *not* make an edit to the package-lock.json. I.e. - # running `git status` should - # say "nothing to commit, working tree clean". - git diff --exit-code + # Extract the top-level dependencies after regeneration + node -e "console.log(JSON.stringify(require('./package-lock.json').packages['']))" > /tmp/after.json + + # Compare only the top-level package dependencies + # This ignores platform-specific differences in nested dependency resolution + # (like "peer" flags) that don't affect actual installed versions + if ! diff /tmp/before.json /tmp/after.json; then + echo "ERROR: Top-level dependencies in package-lock.json are out of sync with package.json" + echo "Please run 'npm install' locally and commit the updated package-lock.json" + exit 1 + fi + + echo "✓ Top-level dependencies are in sync"