Skip to content

fix(setup): use npm ci instead of npm install in hermes update#4114

Open
shannonsands wants to merge 1 commit into
mainfrom
fix/npm-ci-update
Open

fix(setup): use npm ci instead of npm install in hermes update#4114
shannonsands wants to merge 1 commit into
mainfrom
fix/npm-ci-update

Conversation

@shannonsands

@shannonsands shannonsands commented Mar 31, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

Replaces npm install --silent with npm ci --silent in the hermes update command. npm install re-resolves the dependency graph and rewrites package-lock.json, leaving a dirty working tree after every update. npm ci installs exactly from the committed lockfile without mutating it.

Related Issue

Fixes #4048

Type of Change

  • 🐛 Bug fix (non-breaking change that fixes an issue)
  • ✨ New feature (non-breaking change that adds functionality)
  • 🔒 Security fix
  • 📝 Documentation update
  • ✅ Tests (adding or improving test coverage)
  • ♻️ Refactor (no behavior change)
  • 🎯 New skill (bundled or hub)

Changes Made

  • hermes_cli/main.py line 3041: npm install --silentnpm ci --silent

One line changed. The WhatsApp bridge npm install (line 742) is intentionally left as-is — that is an initial install into an empty node_modules/, where npm install is correct.

How to Test

cd ~/.hermes/hermes-agent
git status            # clean
hermes update
git status            # package-lock.json should remain unmodified

Checklist

Code

  • I've read the Contributing Guide
  • My commit messages follow Conventional Commits
  • I searched for existing PRs to make sure this isn't a duplicate
  • My PR contains only changes related to this fix (no unrelated commits)
  • I've run pytest tests/ -q and all tests pass — N/A (one-line behavioral change in update command)
  • I've added tests for my changes — N/A
  • I've tested on my platform: macOS 15 (Apple Silicon)

Documentation & Housekeeping

  • I've updated relevant documentation — N/A
  • I've updated cli-config.yaml.example — N/A
  • I've updated CONTRIBUTING.md or AGENTS.md — N/A
  • I've considered cross-platform impact — npm ci is available on all platforms with npm 5.7+
  • I've updated tool descriptions/schemas — N/A

@shannonsands
fix(setup): use npm ci instead of npm install in hermes update
f8ba6a4 
npm install re-resolves the dependency graph and rewrites package-lock.json,
leaving a dirty working tree after every update. npm ci installs exactly
from the committed lockfile without mutating it, which is the correct
command for reproducible installs in update/deployment contexts.

Closes #4048
This was referenced Apr 23, 2026
Closed
Open
@alt-glitch alt-glitch added type/bug Something isn't working comp/cli CLI entry point, hermes_cli/, setup wizard P3 Low — cosmetic, nice to have labels May 2, 2026
@alt-glitch

alt-glitch commented May 2, 2026

Copy link
Copy Markdown
Collaborator

Likely duplicate of already-merged #16295 which applied the same npm install → npm ci fix to hermes update.

1 similar comment
@alt-glitch

alt-glitch commented May 2, 2026

Copy link
Copy Markdown
Collaborator

Likely duplicate of already-merged #16295 which applied the same npm install → npm ci fix to hermes update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

comp/cli CLI entry point, hermes_cli/, setup wizard P3 Low — cosmetic, nice to have type/bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: hermes update runs npm install instead of npm ci, dirtying package-lock.json after every update

2 participants

@shannonsands @alt-glitch