[Bug]: `hermes update` runs `npm install` instead of `npm ci`, dirtying package-lock.json after every update

[daneroo]

Bug Description

Summary

hermes update runs npm install --silent as part of its Node.js dependency update step. This allows npm to re-resolve the dependency graph and rewrite package-lock.json, leaving a dirty working tree after every update.

For a deployment/update path, the correct command is npm ci, which installs exactly from the committed lockfile without mutating it.

Context

Observed on Ubuntu 24.04 with npm 10.x after a normal hermes update run.
The dirty diff added @askjo/camoufox-browser transitive dependencies to package-lock.json,
suggesting the committed lockfile was not fully consistent with package.json at that point.
npm ci would have surfaced this inconsistency immediately rather than silently rewriting the file.

Steps to Reproduce

cd ~/.hermes/hermes-agent
git status # clean
hermes update
git status # package-lock.json now modified
git diff --stat -- package-lock.json

Expected Behavior

Expected: working tree remains clean after hermes update
Actual: package-lock.json is rewritten with ~2000+ line diff due to dependency re-resolution

Actual Behavior

cd ~/.hermes/hermes-agent
git status # clean
hermes update
git status
modified: package-lock.json

Affected Component

Setup / Installation, Other

Messaging Platform (if gateway-related)

No response

Operating System

Ubuntu 24.04

Python Version

3.11.15

Hermes Version

Hermes Agent v0.6.0 (2026.3.30)

Relevant Logs / Traceback

Root Cause Analysis (optional)

In hermes_cli/main.py around lines 3027–3032:

if (PROJECT_ROOT / "package.json").exists():
    import shutil
    if shutil.which("npm"):
        print("→ Updating Node.js dependencies...")
        subprocess.run(["npm", "install", "--silent"], cwd=PROJECT_ROOT, check=False)

npm install re-resolves the dependency graph and may rewrite package-lock.json.

Proposed Fix (optional)

Proposed fix

Replace:

subprocess.run(["npm", "install", "--silent"], cwd=PROJECT_ROOT, check=False)

With:

subprocess.run(["npm", "ci", "--silent"], cwd=PROJECT_ROOT, check=False)

npm ci:

• Installs exactly from package-lock.json
• Does not mutate the lockfile
• Is the standard command for reproducible installs in CI/CD and deployment contexts
• Will fail fast if package-lock.json is inconsistent with package.json, which is the correct behaviour (surface the inconsistency rather than silently mutate)

It is important that the working package-lock.json be committed

Are you willing to submit a PR for this?

• I'd like to fix this myself and submit a PR

[AdityaRajeshGadgil]

Confirmed again on a current VM.

I verified the linked root cause is still present on current main:

• package.json includes @askjo/camoufox-browser
• committed package-lock.json does not
• running npm install --silent in the repo immediately dirties package-lock.json

So issue #4048 is real, but there is also an upstream lockfile mismatch causing it to trigger right now.

Relevant companion issue:

• package.json and package-lock.json are out of sync after Camofox dependency addition #4408 package.json and package-lock.json are out of sync after Camofox dependency addition

In other words:

• using npm ci would be the safer update behavior because it would fail loudly instead of mutating the repo
• but npm ci will still require package.json and package-lock.json are out of sync after Camofox dependency addition #4408 to be fixed first, because the committed lockfile currently does not match package.json

[ifmein]

Same issue on Hermes v0.11.0, npm 11.9.0, macOS 15.4.0. Every hermes update dirties web/package-lock.json. The root cause is client-side building — should be pre-built in CI/CD.

[teknium1]

This has been fixed on main and shipped in v2026.4.30.

Thank you for the detailed report and the spot-on root cause analysis — the proposed fix was implemented almost exactly as described.

• Commit: 34eb1aaa9 — fix(update): use npm ci to stop rewriting package-lock on every update (#16295)
• Implementation: hermes_cli/main.py line 5263 — new _run_npm_install_deterministic() helper that tries npm ci first (lockfile-preserving, fast-fails on mismatch) and falls back to npm install only when the lockfile is absent or out of sync.
• Both _update_node_dependencies() and _build_web_ui() now use this helper, so the entire hermes update path is covered.

Note: companion issue #4408 (committed lockfile out of sync with package.json due to @askjo/camoufox-browser) is tracked separately — the fallback path in _run_npm_install_deterministic() handles that gracefully rather than failing hard.

This is an automated hermes-sweeper review.