[TT-16966][TT-16971] fix: backport #7995 — fix tslib and npm ci in ci/tests/specs

[buger]

Summary

Full backport of #7995 to release-5.12.

• Adds tslib as an explicit dependency in ci/tests/specs/package.json to fix Cannot find module 'tslib' error in portman contract tests
• Commits package-lock.json and removes it from .gitignore for deterministic builds
• Changes npm install --ignore-scripts to npm ci in ci/tests/specs/Taskfile.yml

Note: The policy schema changes (PostExpiryAction omitzero tag and associated tests) from #7995 are excluded because the PostExpiryAction field does not exist in release-5.12.

Test plan

• CI Tests job passes on this PR
• Portman contract tests no longer fail with Cannot find module 'tslib'

🤖 Generated with Claude Code

[github-actions]

🚨 Jira Linter Failed

Commit: 70d4e93
Failed at: 2026-04-17 05:05:25 UTC

The Jira linter failed to validate your PR. Please check the error details below:

🔍 Click to view error details

failed to validate branch and PR title rules: branch name 'backport/7995-to-5.12' must contain a valid Jira ticket ID (e.g., ABC-123)

Next Steps

• Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
• Verify your PR title matches the branch's Jira ticket ID
• Check that the Jira ticket exists and is accessible

---

This comment will be automatically deleted once the linter passes.

[probelabs]

This PR backports a fix from #7995 to the release-5.12 branch to resolve a CI failure in the Portman contract tests caused by a missing tslib module.

Files Changed Analysis

• .gitignore: The package-lock.json file is no longer ignored, allowing it to be committed to the repository for deterministic dependency management.
• ci/tests/specs/package.json: Adds tslib as an explicit dependency to fix the Cannot find module 'tslib' error.
• ci/tests/specs/package-lock.json: A new lock file is added, which makes up the majority of the line additions. This ensures that the exact same dependency versions are used in all environments, particularly CI.
• ci/tests/specs/Taskfile.yml: The dependency installation command is changed from npm install --ignore-scripts to npm ci. This is a best practice for CI environments as it uses the package-lock.json for faster, more reliable, and strictly reproducible builds.

Architecture & Impact Assessment

• What this PR accomplishes: It fixes a failing CI job for Portman contract tests by correcting the Node.js dependency setup. It also improves the reliability and reproducibility of the test environment.
• Key technical changes introduced:
  1. Adds tslib as a direct dependency.
  2. Introduces package-lock.json to source control for deterministic builds.
  3. Switches to npm ci for dependency installation in the CI task, aligning with modern Node.js CI practices.
• Affected system components: The changes are strictly confined to the CI/CD pipeline, specifically the setup for the OpenAPI specification tests located in ci/tests/specs/. There is no impact on the core Tyk Gateway application code or its runtime behavior.

Scope Discovery & Context Expansion

• The scope of this change is narrow and well-defined, impacting only the isolated Node.js project used for Portman contract testing within the CI pipeline.
• The update from npm install to npm ci is a standard improvement when a package-lock.json is present, ensuring that the CI environment precisely mirrors the dependency tree defined in the lock file, preventing unexpected failures due to transient dependency updates.

Metadata

• Review Effort: 1 / 5
• Primary Label: bug

---

Powered by Visor from Probelabs

Last updated: 2026-04-17T05:06:12.649Z | Triggered by: pr_opened | Commit: 70d4e93

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

Security Issues (1)

Severity	Location	Issue
🟡 Warning	ci/tests/specs/Taskfile.yml:15	The `npm ci` command executes lifecycle scripts from dependencies by default. The previous command, `npm install --ignore-scripts`, explicitly disabled this, which is a security best practice to mitigate supply-chain attacks. Re-enabling scripts by default introduces a potential risk, as a compromised dependency could execute malicious code during the CI build process. 💡 Suggestion To maintain the previous security posture and adhere to the principle of least privilege, add the `--ignore-scripts` flag to the `npm ci` command. This should only be omitted if a dependency is known to require scripts for installation. 🔧 Suggested Fix - npm ci --ignore-scripts

✅ Architecture Check Passed

No architecture issues found – changes LGTM.

✅ Performance Check Passed

No performance issues found – changes LGTM.

---

Powered by Visor from Probelabs

Last updated: 2026-04-17T05:06:08.848Z | Triggered by: pr_opened | Commit: 70d4e93

💡 TIP: You can chat with Visor using /visor ask <your question>

[github-actions]

API Changes

no api changes detected