#50598: build: replace npx with lockfile-pinned binaries
Merged
Created: Mar 31, 2026, 12:38:10 AM
Merged: Mar 31, 2026, 3:23:44 PM
6 comments
Target: main
npx resolves versions from the registry at invocation time, bypassing yarn.lock integrity checks. Replace all build-time uses with pinned equivalents:
- nan-spec-runner — reorder
yarn installbeforenode-gyp rebuild, invokethird_party/nan/node_modules/node-gyp/bin/node-gyp.jsdirectly. We control nan's yarn.lock via patch, so the version is already pinned. Drops the'latest'fallback and Windowsshell: true. - publish-to-npm — use host
npm viewwith try/catch on E404 (modern npm exits 1 on 404; the old empty-string check was npm@6 behavior). Closes the existing TODO. - upload-symbols — add
@sentry/cli@1.62.0to devDependencies (withdependenciesMeta.built: trueso the native binary installs), invoke fromnode_modules/.bin/sentry-cli. - script/lib/npx.py — dead since #48243 (yarn v4 migration replaced the DEPS hook).
Notes: none
Backports
39-x-y
PendingWaiting for a manual backport
40-x-y
PendingWaiting for a manual backport
41-x-y
PendingWaiting for a manual backport
42-x-y
PendingWaiting for a manual backport
Semver Impact
Major
Breaking changes
Minor
New features
Patch
Bug fixes
None
Docs, tests, etc.
Semantic Versioning helps users understand the impact of updates:
- Major (X.y.z): Breaking changes that may require code modifications
- Minor (x.Y.z): New features that maintain backward compatibility
- Patch (x.y.Z): Bug fixes that don't change the API
- None: Changes that don't affect using facing parts of Electron