Skip to content
Validate package-lock.json Tests

Vectors lance path #4114

Sign in to view logs

Vectors lance path

Vectors lance path #4114

Workflow file for this run

.github/workflows/Validate-package-lock.yaml at a8126e4
name: Validate package-lock.json Tests
on: [pull_request]
jobs:
run-package-lock-validation:
runs-on: ubuntu-latest
timeout-minutes: 90
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v6
with:
node-version-file: .nvmrc
- name: Validate PR package-lock.json preserves base branch resolved and integrity
run: |
# For every package path that exists in both the base branch and the PR head lockfile:
# if the base entry has resolved and integrity (non-link), the PR entry must also have both fields set (non-null).
# Values are not compared; only presence of resolved and integrity on the PR is checked.
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m'
BASE_REF="${{ github.base_ref }}"
PR_NUMBER="${{ github.event.pull_request.number }}"
git fetch origin "${BASE_REF}" --depth=1
git show FETCH_HEAD:package-lock.json > package-lock-base.json
git fetch origin "pull/${PR_NUMBER}/head" --depth=1
git show FETCH_HEAD:package-lock.json > package-lock-pr-head.json
base_pkg_count=$(jq '[.packages | keys[] | select(. != "")] | length' package-lock-base.json)
pr_pkg_count=$(jq '[.packages | keys[] | select(. != "")] | length' package-lock-pr-head.json)
jq -n \
--slurpfile base package-lock-base.json \
--slurpfile pr package-lock-pr-head.json \
'
($base[0].packages // {}) as $A |
($pr[0].packages // {}) as $B |
(
[($A | keys[] | select(. != "")) as $k |
select(
($B | has($k)) and
($A[$k].link != true) and
(($A[$k] | .resolved != null) and ($A[$k] | .integrity != null)) and
(($B[$k] | .resolved != null) and ($B[$k] | .integrity != null))
) | $k
]
) as $both_pinned |
{
both_pinned_count: ($both_pinned | length),
diverged:
[($A | keys[] | select(. != "")) as $k |
select(
($B | has($k)) and
($A[$k].link != true) and
(($A[$k] | .resolved != null) and ($A[$k] | .integrity != null)) and
(($B[$k] | .resolved == null) or ($B[$k] | .integrity == null))
) | $k
]
}
' > package_lock_base_compare_report.json
diverged_count=$(jq '.diverged | length' package_lock_base_compare_report.json)
both_pinned_count=$(jq '.both_pinned_count' package_lock_base_compare_report.json)
if [ "${diverged_count}" -gt 0 ]; then
echo "Shared registry package paths with resolved and integrity in both base (${BASE_REF}) and PR head: ${both_pinned_count}"
# Base has fewer package paths than PR (e.g. new dependencies on the PR): do not fail this step.
if [ "${base_pkg_count}" -lt "${pr_pkg_count}" ]; then
echo -e "${GREEN}Base (${BASE_REF}) has fewer package-lock package paths (${base_pkg_count}) than PR head (${pr_pkg_count}); not failing resolved/integrity check.${NC}"
exit 0
fi
echo -e "${RED}package-lock.json on the PR branch must have resolved and integrity set (non-null) for every shared package path where the base (${BASE_REF}) has both (values are not compared).${NC}"
echo -e "${RED}Lockfile package path counts: base branch (${BASE_REF})=${base_pkg_count}, PR head=${pr_pkg_count}, paths missing resolved or integrity on PR=${diverged_count}${NC}"
echo -e "${RED}Package paths missing resolved or integrity on PR (while base has both):${NC}"
jq -r '.diverged[]' package_lock_base_compare_report.json | while IFS= read -r path; do
echo " ${path}"
done
echo "for more details: https://github.com/npm/cli/issues/4263"
echo -e "${GREEN}To fix this, run: npm cache clean --force ; rm -rf node_modules ; rm -rf package-lock.json${NC}"
echo -e "${GREEN}and then run: npm install${NC}"
echo "Regenerate the lockfile locally (same Node as .nvmrc), commit, and re-run."
exit 1
fi
echo -e "${GREEN}Base branch (${BASE_REF}) vs PR head: for every shared path where base has resolved and integrity, PR has both fields set.${NC}"
- name: Backup the current package-lock.json
run: |
# Backup the current package-lock.json
mv package-lock.json package-lock-backup.json
# Generate a new package-lock.json
npm install
- name: Validate top-level versions in package-lock.json
run: |
# Validate the main version field
top_version_backup=$(jq -r '.version' package-lock-backup.json)
top_version_new=$(jq -r '.version' package-lock.json)
# Define the ANSI escape code for red
RED='\033[0;31m'
NC='\033[0m' # No Color (resets the color)
if [ "$top_version_backup" != "$top_version_new" ]; then
echo "The top-level version in package-lock.json is inconsistent."
echo -e "${RED}Original version: $top_version_backup${NC}"
echo -e "${RED}Generated version: $top_version_new${NC}"
exit 1
fi
- name: Validate dependencies top-level versions in package-lock.json
run: |
# Extract and validate top-level module versions
jq '.packages[""].dependencies' package-lock-backup.json > top-level-versions-backup.json
jq '.packages[""].dependencies' package-lock.json > top-level-versions-new.json
if ! diff -q top-level-versions-backup.json top-level-versions-new.json > /dev/null; then
echo -e "${RED}Top-level module versions in package-lock.json are inconsistent.${NC}"
echo -e "${RED}Differences:${NC}"
diff top-level-versions-backup.json top-level-versions-new.json || true
exit 1
else
echo "Top-level module versions are consistent. Validation passed."
fi
- name: Validate devDependencies top-level versions in package-lock.json
run: |
# Extract and validate top-level module versions
jq '.packages[""].devDependencies' package-lock-backup.json > top-level-versions-backup.json
jq '.packages[""].devDependencies' package-lock.json > top-level-versions-new.json
# Define the ANSI escape code for red
RED='\033[0;31m'
NC='\033[0m' # No Color (resets the color)
if ! diff -q top-level-versions-backup.json top-level-versions-new.json > /dev/null; then
echo -e "${RED}Top-level module versions in package-lock.json are inconsistent.${NC}"
echo -e "${RED}Differences:${NC}"
diff top-level-versions-backup.json top-level-versions-new.json || true
exit 1
else
echo "Top-level module versions are consistent. Validation passed."
fi