chore(ci): add lockfile + dependency guardrails#11
Merged
Conversation
Prevent the v0.3.0–v0.3.2 release-tag ghosts from recurring with three layered checks: - New `lockfile-check` job in ci.yml: re-resolves the lockfile from package.json under the CI-pinned npm@11.6.2 and fails any PR where `git diff package-lock.json` is non-empty. Also runs `npm ci --ignore-scripts --dry-run` to catch missing-from-lock errors before the release pipeline ever sees them. - Husky pre-commit hook rejects local commits that stage package.json without also staging package-lock.json. - CODEOWNERS adds /package.json, /package-lock.json, /.nvmrc so any PR touching dep metadata routes through review. Documentation: - CONTRIBUTING.md: new "Dependency changes" section. - New RELEASE.md: pre-flight checklist, cut-the-release steps, workflow-watching tips, and a post-mortem table of the v0.3.0–v0.3.3 saga so the next person reading it can skip the same mistakes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Prevent the
v0.3.0–v0.3.2release-tag ghosts from recurring with three layered checks:lockfile-checkCI job — re-resolves the lockfile frompackage.jsonunder the CI-pinnednpm@11.6.2and fails any PR wheregit diff package-lock.jsonis non-empty. Also runsnpm ci --ignore-scripts --dry-runto catch missing-from-lock errors before the release pipeline ever sees them.pre-commithook — rejects local commits that stagepackage.jsonwithout also stagingpackage-lock.json./package.json,/package-lock.json,/.nvmrcso any PR touching dep metadata routes through review.Documentation:
CONTRIBUTING.md: new "Dependency changes" section explaining the new gates and the npm version pin.RELEASE.md: pre-flight checklist, cut-the-release steps, workflow-watching tips, and a post-mortem table of the v0.3.0–v0.3.3 saga so the next person reading it can skip the same mistakes.Test plan
lockfile-checkjob passes on this PR (lockfile already in sync from v0.3.3).package.json-only stage locally.testjob still passes on both ubuntu + windows.🤖 Generated with Claude Code