Skip to content

fix(deps): pin template systeminformation to 5.31.7 for JFrog cooldown#466

Merged
MarioCadenas merged 1 commit into
mainfrom
fix/template-systeminformation-jfrog-cooldown
Jul 1, 2026
Merged

fix(deps): pin template systeminformation to 5.31.7 for JFrog cooldown#466
MarioCadenas merged 1 commit into
mainfrom
fix/template-systeminformation-jfrog-cooldown

Conversation

@MarioCadenas

Copy link
Copy Markdown
Collaborator

Problem

The Install template dependencies step fails with E403 in both CI jobs that build the template artifact:

  • PR Template Artifact (ci.yml) on PRs
  • template-artifact (prepare-release.yml) on main
npm error 403 Forbidden - GET https://databricks.jfrog.io/.../systeminformation/-/systeminformation-5.31.11.tgz
... blocked by jfrog packages curation service ... {7d-cooldown, Package version is 6 days old}

Both jobs run npm install (not npm ci) on a fresh copy of the template. That re-resolves the transitive requirement systeminformation@^5.31.6 (pulled in by @databricks/appkit@opentelemetry/instrumentation-host-metrics@0.2.0) to the newest published version, 5.31.11. JFrog's curation service blocks packages younger than 7 days, so the download 403s.

This is not a one-off: because the step re-resolves to latest on every run, it breaks again on any fresh systeminformation release inside its 7-day cooldown window. The monorepo itself is unaffected — its pnpm lock pins 5.31.7 and CI installs with --frozen-lockfile.

Fix

Pin the transitive dep via the template's existing overrides block (same mechanism already used for vite/@opentelemetry/core) to 5.31.7 — the version AppKit is built/tested against and which JFrog already serves.

  • template/package.json — add "systeminformation": "5.31.7" to overrides. prepare-template-artifact.ts copies package.json (overrides included) into the install dir before npm install, so this is what unblocks CI.
  • template/package-lock.json — update the committed entry 5.31.11 → 5.31.7 (integrity taken from the monorepo pnpm lock) so the source snapshot stays consistent.

Verification

  • tools/check-template-deps.ts → passes (pin check only inspects dependencies/devDependencies).
  • tools/check-template-lock-registry.ts → passes (public npm registry only).

Note: this pins systeminformation for scaffolded apps until someone bumps it — acceptable for a telemetry transitive dep and consistent with the other pinned overrides.

Template artifact jobs run `npm install` (not `npm ci`) on a fresh copy,
re-resolving the transitive `systeminformation@^5.31.6` (via
@opentelemetry/instrumentation-host-metrics) to the newest published
version. JFrog curation blocks versions younger than 7 days, causing an
E403 in 'Install template dependencies' on PRs and prepare-release.

Pin via the existing overrides block to 5.31.7 (the version AppKit is
built against) so installs no longer chase immature releases.

Signed-off-by: MarioCadenas <MarioCadenas@users.noreply.github.com>
@MarioCadenas MarioCadenas requested a review from a team as a code owner July 1, 2026 10:00
@MarioCadenas MarioCadenas requested a review from ditadi July 1, 2026 10:00
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔬  Run evals on this PR  ·  Go to Evals Monitor →

@MarioCadenas MarioCadenas merged commit fb0bd1a into main Jul 1, 2026
10 checks passed
@MarioCadenas MarioCadenas deleted the fix/template-systeminformation-jfrog-cooldown branch July 1, 2026 10:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants