The node project currently bundles npm in every version. In order to allow our team to release new semver-major versions of the npm CLI, we have some guidelines to follow. Please note that these are guidelines, they are not exhaustive and failures may not be the responsibility of the npm team to address. Our duty is to do our best and to determine the root cause of any new failures so that we may discuss them with the node project before a new version is bundled.

Note that in all cases exceptions may be made if the root cause of a new failure is determined to not be due to the new release of npm or the process of updating npm.

To ensure this one, we will have a GitHub action triggered by new releases that downloads and builds the current node release lines with an updated npm and runs the node project's tests.

The set of packages curated by citgm is reasonably diverse. When a release is published, we will use citgm (or some derivative) to download the latest published version of each package and run npm install followed by npm ls to verify we have generated a valid package tree.

After npm install and npm ls verify that we are able to create a valid package tree, we additionally run each of the project's tests. Note that this is a rule that weighs heavily on the maintenance of the project being tested. In some cases a failure may be due to the update of node rather than npm, in this case the failure is acceptable.

To ensure our users can work smoothly in both the latest npm release, as well as previous versions, we must be diligent about only making breaking changes to package-lock.json files when explicitly requested. Since breaking changes to the lock file are signified by a change in the lockfileVersion property, our automated testing will include checking each package in citgm for an existing package-lock.json. If one is found, we assert that the lockfileVersion found within does not change after npm install is run.

There is a significant exception to this rule in that v1 lockfiles will always be upgraded to whatever the default for the newer npm version is. Any lockfile with a starting version above v1 must not change.