npm: allow git dependencies only in the root `package.json` #66

coderabbitai · 2026-05-03T07:44:05Z

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "== Check npm/node version pinning in repo metadata ==" fd -HI '(^|/)(package.json|.nvmrc|.node-version|Dockerfile|dockerfile|compose\.ya?ml|ci\.yml|.*workflow.*\.ya?ml)$' \ | xargs -r rg -n -C2 --iglob '*package.json' --iglob '*.yml' --iglob '*.yaml' --iglob 'Dockerfile*' \ '("engines"\s*:\s*\{|"npm"\s*:\s*|node-version|setup-node|npm@|corepack|npm ci|npm install)' echo echo "== Check for npm config usage related to allow-git ==" rg -n -C2 --iglob '*.yml' --iglob '*.yaml' --iglob '*.sh' --iglob '*.md' --iglob '.npmrc' \ '(allow-git|npm ci|npm install|--allow-git)' echo echo "Expected: all execution paths that run npm are pinned to npm >= 11.9.0 (or explicitly pass --allow-git=root)."

Repository: ddterm/gjs-typelib-installer

Length of output: 886

🏁 Script executed:

# Check package.json for engines field cat package.json | head -50 # Check if .nvmrc or .node-version files exist fd -type f -name '.nvmrc' -o -name '.node-version' # Check GitHub Actions workflow for node-version input cat .github/workflows/ci.yml | grep -A5 -B5 'setup-node\|node-version' || echo "No setup-node or node-version found"

Repository: ddterm/gjs-typelib-installer

Length of output: 1580

🏁 Script executed:

cat .github/workflows/ci.yml

Repository: ddterm/gjs-typelib-installer

Length of output: 3811

🌐 Web query:

GitHub Actions ubuntu-24.04 default Node.js npm version

💡 Result:

On GitHub Actions ubuntu-24.04 runner (current as of 2026-05-03), the default Node.js version is 20.20.2. This is the version available on PATH without using actions/setup-node. The corresponding default npm version is the one bundled with Node.js 20.20.2, which is npm 10.8.3 (confirmed from Node.js release notes and standard bundling). Multiple Node.js versions are pre-cached (20.x, 22.x, 24.x), but 20.20.2 is listed first under Language and Runtime as the primary/default installation. Note: Node.js 20 reaches EOL on 2026-04-30, and there is an open issue discussing updating the default to 22 or 24 post-EOL, but as of current sources (main branch Readme and March/April 2026 image releases), it remains 20.20.2.

Citations:

1: https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md

2: ubuntu-latest default Node.js 20.20.2 unsupported actions/runner-images#13833

3: https://github.com/actions/runner-images/releases/tag/ubuntu24/20260329.72

4: https://github.com/actions/runner-images/releases/tag/ubuntu24/20260309.50

Pin npm to version ≥ 11.9.0 to enforce allow-git restriction.

The allow-git config is silently ignored by npm < 11.9.0. Current GitHub Actions ubuntu-24.04 default is npm 10.8.3, which does not support this feature. Add version pinning via engines field in package.json, .nvmrc, .node-version, or setup-node action in CI to ensure npm ≥ 11.9.0 runs in all execution contexts.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In @.npmrc at line 6, The .npmrc uses allow-git which is ignored by npm < 11.9.0; ensure CI and developer environments run npm ≥ 11.9.0 by adding an explicit npm version pin — e.g., add an engines field to package.json ("npm": ">=11.9.0"), or add a .nvmrc / .node-version with a Node release that ships npm ≥ 11.9.0, or configure your GitHub Actions setup-node step to install npm >= 11.9.0; update whichever of package.json, .nvmrc, .node-version or the CI setup-node action you prefer so that the allow-git setting in .npmrc is honored.

Original file line number	Diff line number	Diff line change
Expand Up		@@ -3,3 +3,4 @@
		# SPDX-License-Identifier: CC0-1.0

		ignore-scripts = true
		allow-git = root
Copy link Copy Markdown coderabbitai Bot May 3, 2026 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. ⚠️ Potential issue \| 🔴 Critical 🧩 Analysis chain 🏁 Script executed: #!/bin/bash set -euo pipefail echo "== Check npm/node version pinning in repo metadata ==" fd -HI '(^\|/)(package.json\|.nvmrc\|.node-version\|Dockerfile\|dockerfile\|compose\.ya?ml\|ci\.yml\|.workflow.\.ya?ml)$' \ \| xargs -r rg -n -C2 --iglob 'package.json' --iglob '.yml' --iglob '.yaml' --iglob 'Dockerfile' \ '("engines"\s:\s\{\|"npm"\s:\s\|node-version\|setup-node\|npm@\|corepack\|npm ci\|npm install)' echo echo "== Check for npm config usage related to allow-git ==" rg -n -C2 --iglob '.yml' --iglob '.yaml' --iglob '.sh' --iglob '.md' --iglob '.npmrc' \ '(allow-git\|npm ci\|npm install\|--allow-git)' echo echo "Expected: all execution paths that run npm are pinned to npm >= 11.9.0 (or explicitly pass --allow-git=root)." Repository: ddterm/gjs-typelib-installer Length of output: 886 🏁 Script executed: # Check package.json for engines field cat package.json \| head -50 # Check if .nvmrc or .node-version files exist fd -type f -name '.nvmrc' -o -name '.node-version' # Check GitHub Actions workflow for node-version input cat .github/workflows/ci.yml \| grep -A5 -B5 'setup-node\\|node-version' \|\| echo "No setup-node or node-version found" Repository: ddterm/gjs-typelib-installer Length of output: 1580 🏁 Script executed: cat .github/workflows/ci.yml Repository: ddterm/gjs-typelib-installer Length of output: 3811 🌐 Web query: `GitHub Actions ubuntu-24.04 default Node.js npm version` 💡 Result: On GitHub Actions ubuntu-24.04 runner (current as of 2026-05-03), the default Node.js version is 20.20.2. This is the version available on PATH without using actions/setup-node. The corresponding default npm version is the one bundled with Node.js 20.20.2, which is npm 10.8.3 (confirmed from Node.js release notes and standard bundling). Multiple Node.js versions are pre-cached (20.x, 22.x, 24.x), but 20.20.2 is listed first under Language and Runtime as the primary/default installation. Note: Node.js 20 reaches EOL on 2026-04-30, and there is an open issue discussing updating the default to 22 or 24 post-EOL, but as of current sources (main branch Readme and March/April 2026 image releases), it remains 20.20.2. Citations: 1: https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md 2: ubuntu-latest default Node.js 20.20.2 unsupported actions/runner-images#13833 3: https://github.com/actions/runner-images/releases/tag/ubuntu24/20260329.72 4: https://github.com/actions/runner-images/releases/tag/ubuntu24/20260309.50 Pin npm to version ≥ 11.9.0 to enforce `allow-git` restriction. The `allow-git` config is silently ignored by npm < 11.9.0. Current GitHub Actions ubuntu-24.04 default is npm 10.8.3, which does not support this feature. Add version pinning via `engines` field in `package.json`, `.nvmrc`, `.node-version`, or `setup-node` action in CI to ensure npm ≥ 11.9.0 runs in all execution contexts. 🤖 Prompt for AI Agents Verify each finding against the current code and only fix it if needed. In @.npmrc at line 6, The .npmrc uses allow-git which is ignored by npm < 11.9.0; ensure CI and developer environments run npm ≥ 11.9.0 by adding an explicit npm version pin — e.g., add an engines field to package.json ("npm": ">=11.9.0"), or add a .nvmrc / .node-version with a Node release that ships npm ≥ 11.9.0, or configure your GitHub Actions setup-node step to install npm >= 11.9.0; update whichever of package.json, .nvmrc, .node-version or the CI setup-node action you prefer so that the allow-git setting in .npmrc is honored.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

npm: allow git dependencies only in the root `package.json` #66

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai Bot May 3, 2026

Uh oh!

npm: allow git dependencies only in the root package.json #66

Uh oh!

npm: allow git dependencies only in the root package.json #66

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai Bot May 3, 2026

Choose a reason for hiding this comment

Uh oh!

npm: allow git dependencies only in the root `package.json` #66

npm: allow git dependencies only in the root `package.json` #66