Skip to content

[CI] Package-lock.json and package.json sync validation needed in CI workflows #6168

New issue
New issue
Open
Open
[CI] Package-lock.json and package.json sync validation needed in CI workflows#6168
@Sekar-C-Mca

Description

@Sekar-C-Mca
Sekar-C-Mca
opened on Mar 9, 2026

Current Behavior

When a developer updates package.json but forgets to run npm install locally before pushing their changes, the GitHub Actions workflows fail with confusing error messages. The npm ci command in E2E Tests, Lighthouse, and Jest workflows fails with cryptic errors about missing package versions like "No matching version found for gulp@^6.0.0". Developers don't understand that their lock file is out of sync with package.json, so they waste time debugging the npm registry instead of solving the actual problem.

The three workflows affected are:

  • E2E Tests (pr-cypress-e2e.yml)
  • Lighthouse Performance Audit (lighthouse-ci.yml)
  • Jest Unit Tests (pr-jest-tests.yml)

Desired Behavior

Workflows should detect when package-lock.json is out of sync with package.json before attempting npm ci. They should fail fast with a clear, actionable error message that explains the actual problem and tells developers exactly what to do: "Run npm install locally and commit the updated package-lock.json".

This prevents confusing CI failures, reduces developer frustration, and provides clear guidance for anyone unfamiliar with npm's lock file mechanism.

Implementation

Add a validation step before npm ci in the affected workflows. The approach:

  • Create a bash script that runs npm ci --dry-run to detect mismatches between package.json and package-lock.json
  • If npm ci --dry-run fails, the script should exit with a clear error message explaining the lock file is out of sync
  • Add this validation step to the job's steps section before the npm ci or setup-node cache step

The error message should be simple and actionable:

Error: package-lock.json is out of sync with package.json. Run npm install locally and commit the updated lock file.

Implementation should be added to:

  • pr-cypress-e2e.yml (before Cypress install step)
  • lighthouse-ci.yml (before Lighthouse install step)
  • pr-jest-tests.yml (before Jest install step)

Reproduction

See PR #3 in Sekar-C-Mca/musicblocks fork:
Sekar-C-Mca#3

This PR intentionally updates gulp version in package.json without updating package-lock.json, demonstrating all three workflows failing with the same ETARGET error.

Acceptance Tests

Acceptance criteria for this issue:

  • Validation step runs before npm ci in all three affected workflows
  • When package.json is updated without updating package-lock.json, the validation step detects it and fails with a clear error message
  • Error message explicitly mentions "package-lock.json is out of sync" and guides developers to run npm install locally
  • When both package.json and package-lock.json are in sync, the validation passes and workflows proceed normally
  • The validation does not add significant overhead or slow down workflows (dry-run only, no actual installation)
  • Validation works for both regular commits and pull requests

Checklist

  • I have read and followed the project's code of conduct.
  • I have searched for similar issues before creating this one.
  • I have provided all the necessary information to understand and reproduce the issue.
  • I am willing to contribute to the resolution of this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions