Skip to content

Enforce npm ci to prevent package-lock.json churn from peer dependencies#190

Merged
rajbos merged 3 commits intomainfrom
copilot/fix-npm-peer-dependencies
Feb 8, 2026
Merged

Enforce npm ci to prevent package-lock.json churn from peer dependencies#190
rajbos merged 3 commits intomainfrom
copilot/fix-npm-peer-dependencies

Conversation

Copy link
Contributor

Copilot AI commented Feb 8, 2026
edited
Loading

The package-lock.json file was toggling "peer": true properties across environments. Root cause: npm 7+ adds these markers for unsatisfied peer dependencies (e.g., react from @vscode/webview-ui-toolkit), and npm install modifies the lockfile even without package.json changes.

Changes

  • Added .npmrc: Documents npm configuration (save-exact=true, peer dependency handling)
  • Updated CONTRIBUTING.md: Added NPM dependency management section
    • Enforces npm ci for routine development (doesn't modify lockfile)
    • Reserves npm install for intentional dependency changes only
    • Explains "peer": true behavior in lockfile
  • Updated .devcontainer/devcontainer.json: Changed postCreateCommand from npm install to npm ci

Why npm ci

# npm ci: Clean install from lockfile (no modifications)
npm ci

# npm install: May update lockfile even without changes
npm install  # Only for adding/updating dependencies

CI/CD already uses npm ci exclusively. This change aligns local development with production builds.

Original prompt

Check the npm setup for the extension. I see us toggling the package-lock.json file continously between adding "peer": true, and then removing it again, depending on where we run it. I want some consitency in this and either document we do not use it, or enforce it being used always.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@rajbos
Add .npmrc and document npm setup to enforce consistent package-lock.…
7627bcc 
…json usage

- Add .npmrc to configure npm behavior (save-exact=true for new dependencies)
- Update CONTRIBUTING.md with comprehensive npm dependency management section
- Document the use of npm ci for routine development to avoid lockfile churn
- Explain the "peer": true behavior in package-lock.json and why it's normal
- Update devcontainer to use npm ci instead of npm install
- Provide clear guidance on when to use npm install vs npm ci

Co-authored-by: rajbos <6085745+rajbos@users.noreply.github.com>
Copilot AI changed the title [WIP] Update npm setup for consistent peer dependency usage Enforce npm ci to prevent package-lock.json churn from peer dependencies Feb 8, 2026
Copilot AI requested a review from rajbos February 8, 2026 19:44
@rajbos rajbos marked this pull request as ready for review February 8, 2026 20:27
@rajbos rajbos enabled auto-merge February 8, 2026 20:27
@rajbos rajbos merged commit e96cc6f into main Feb 8, 2026
16 checks passed
@rajbos rajbos deleted the copilot/fix-npm-peer-dependencies branch February 8, 2026 20:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@rajbos rajbos rajbos approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@rajbos rajbos

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rajbos

Comments