dosubot[bot] commented on issue #35797: URL: https://github.com/apache/superset/issues/35797#issuecomment-3432111621
<!-- Answer --> This issue is caused by Superset's package.json specifying luxon with a loose version range (`^3.5.0`). When a new luxon release (like 3.7.2) appears in the npm registry, `npm install` updates package-lock.json to the latest matching version, even if your code hasn't changed. This causes `npm ci` to fail if the lockfile references an older version (like 3.6.1) that no longer satisfies the semver range, breaking reproducible builds and CI/CD pipelines. This is standard npm behavior and not specific to Superset—it's triggered by upstream dependency releases and strict lockfile validation in npm ci. You can see similar reports and explanations in [Issue #33881](https://github.com/apache/superset/issues/33881) and [this discussion](https://github.com/apache/superset/discussions/35078). To prevent this in future releases, the best practice is to regularly update and commit package-lock.json whenever a new compatible dependency version is published, or to pin the luxon version in package.json (e.g., `"luxon": "3.6.1"`) instead of using a loose range. Pinning was previously used to unblock master and restore reproducibility ([PR #30859](https://github.com/apache/superset/pull/30859)). This ensures that builds remain stable regardless of upstream changes. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/b11eb59f-75dc-4585-a6c6-3f2e879d0978?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/b11eb59f-75dc-4585-a6c6-3f2e879d0978?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/b11eb59f-75dc-4585-a6c6-3f2e879d0978?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/b11eb59f-75dc-4585-a6c6-3f2e879d0978?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/b11eb59f-75dc-4585-a6c6-3f2e879d0978?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/b11eb59f-75dc-4585-a6c6-3f2e879d0978?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/b11eb59f-75dc-4585-a6c6-3f2e879d0978?feedback_type=other)</sup> [](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=githu b) [](https://go.dosu.dev/discord-bot) [](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/issues/35797) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
