Bumps npm/corepack to match the currently installed node LTS

[pieterocp]

This patches over the error mismatch in #14961 + temp work-around until #14139 is done

What are you trying to accomplish?

I want to be able to use npm 11.10+ with strict engine version(s) so I can use the min-release-age feature while having dependbot upgrade stuff. Given the repeated npm package hijacks, being able to enforce the engine as a hard blocker is a security essential to reduce the risk of pulling in malware on development/agent controlled machines.

See #14961, this is a temp fix by aligning the two versions. Really the npm --version needs some work to be whatever the Dockerfile is actually set to be.

Anything you want to highlight for special attention from reviewers?

I would like to highlight that this bump should be automatically by some tooling / someone should put a manual reminder a week after any node LTS release to do this.

How will you know you've accomplished your goal?

Once this is in, I press try again, and it works.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[pieterocp]

Smoke test looks to be failing already on other branches, guessing it's one where a lockfile needs a bit of updating?

[Copilot]

Pull request overview

Updates the npm_and_yarn updater image’s pinned npm version to better align the corepack-managed npm with the Node LTS toolchain used in Dependabot, addressing the reported npm version mismatch in error output.

Changes:

• Bump the Docker image NPM_VERSION build arg from 11.8.0 to 11.12.1.

[yeikel]

I do not have approval rights, but this change looks good. Thanks!

[yeikel]

Can we bump it to the version that was just released today?

Suggested change

	ARG COREPACK_VERSION=0.34.7
	ARG COREPACK_VERSION=0.35.0

Just to take advantage while we wait for a reviewer :)

[pieterocp]

I'll do it when back at my laptop, is the npm bumped too?

[pieterocp]

Only concern is that this might be breaking the pnpm and some older smoke tests (and subsequently causing a break in functionality?).

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

[pieterocp]

Changed.

[pieterocp]

I understand that it might be busy at Microsoft & GitHub since there have been a few big security breaches, but little things like this should help out, since being able to turn on strict engine requirements for every developer to use a version of npm that supports min-release-age without some dependabot exception will be useful.

Let me know/rebase/make a different PR for all I care, I just want to see this upgraded sooner to enable a good DX without having to compromise on security.

[yeikel]

@kbukum1 Could you please review this?

[yeikel]

I understand that it might be busy at Microsoft & GitHub since there have been a few big security breaches, but little things like this should help out, since being able to turn on strict engine requirements for every developer to use a version of npm that supports min-release-age without some dependabot exception will be useful.

Let me know/rebase/make a different PR for all I care, I just want to see this upgraded sooner to enable a good DX without having to compromise on security.

Thanks for the hard work. Hopefully someone with write permissions will get to it soon 🙏