Merge branch 'main' into fix/1147-dropped-language-gap-test

Author: carlos-alm

.github/workflows/ci.yml

@@ -21,6 +21,13 @@ jobs:
         with:
           node-version: 22
 
+      # Runs before `npm install` because npm 11 silently strips the `libc`
+      # field from optional-dependency lockfile entries (see #1160). If the
+      # check ran post-install we'd flag every CI run instead of the PRs that
+      # actually introduce the regression.
+      - name: Verify lockfile libc discriminators
+        run: node scripts/verify-lockfile-libc.mjs
+
       - name: Install dependencies
         timeout-minutes: 20
         shell: bash

package-lock.json

@@ -0,0 +1,54 @@
+#!/usr/bin/env node
+// Verifies that @optave/codegraph-linux-* entries in package-lock.json declare
+// the `libc` discriminator. npm 11 silently strips this field when generating
+// the lockfile on non-Linux hosts (and sometimes on Linux too), even though the
+// published packages declare it. Without it, npm cannot disambiguate
+// linux-x64-gnu vs linux-x64-musl when resolving from the lockfile and may
+// install (or load) the wrong native binary on Alpine/musl hosts.
+//
+// Run via `npm run lint` (or directly) in CI to catch silent regressions from
+// Dependabot bumps and contributor `npm install` runs.
+import { readFileSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const EXPECTED_LIBC = {
+  '@optave/codegraph-linux-arm64-gnu': 'glibc',
+  '@optave/codegraph-linux-x64-gnu': 'glibc',
+  '@optave/codegraph-linux-x64-musl': 'musl',
+};
+
+// Resolve relative to this script's location so it works regardless of CWD
+// (e.g. running `node scripts/verify-lockfile-libc.mjs` from the `scripts/`
+// subdirectory still finds the repo-root lockfile).
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const lockfilePath = resolve(__dirname, '..', 'package-lock.json');
+const lock = JSON.parse(readFileSync(lockfilePath, 'utf8'));
+const failures = [];
+
+for (const [pkgName, expectedLibc] of Object.entries(EXPECTED_LIBC)) {
+  const entry = lock.packages?.[`node_modules/${pkgName}`];
+  if (!entry) {
+    failures.push(`${pkgName}: missing from package-lock.json`);
+    continue;
+  }
+  const libc = entry.libc;
+  if (!Array.isArray(libc) || !libc.includes(expectedLibc)) {
+    failures.push(
+      `${pkgName}: expected libc=["${expectedLibc}"], got ${JSON.stringify(libc)}`,
+    );
+  }
+}
+
+if (failures.length > 0) {
+  console.error('package-lock.json libc discriminator check failed:\n');
+  for (const f of failures) console.error(`  - ${f}`);
+  console.error(
+    '\nnpm install may have stripped the libc field. Restore it by editing\n' +
+      'package-lock.json so each @optave/codegraph-linux-* entry includes\n' +
+      'its libc field (see expected values above). Tracked in #1160.',
+  );
+  process.exit(1);
+}
+
+console.log('package-lock.json libc discriminators OK');

scripts/verify-lockfile-libc.mjs

@@ -149,16 +149,16 @@ describe('snapshotSave', () => {
   // snapshotSave. better-sqlite3 is synchronous, so Promise-based
   // concurrency would queue two sequential microtasks — only separate
   // threads exercise the TOCTOU race.
-  const nodeMajor = Number(process.versions.node.split('.')[0]);
   const raceWorkerPath = path.join(__dirname, 'snapshot-race-worker.mjs');
   // --import requires a URL (file://…) or a bare/relative specifier, not a
   // drive-letter path on Windows. Use the file:// URL directly.
   const loaderUrl = new URL('../../scripts/ts-resolve-loader.js', import.meta.url).href;
-  const raceExecArgv = [
-    nodeMajor >= 23 ? '--strip-types' : '--experimental-strip-types',
-    '--import',
-    loaderUrl,
-  ];
+  // `--experimental-strip-types` is accepted by Worker execArgv across all
+  // supported Node versions (≥ 22.6); the unprefixed `--strip-types` flag
+  // is not in the Worker allowlist on Node 24 and causes
+  // ERR_WORKER_INVALID_EXEC_ARGV. On Node ≥ 23.6 type stripping is on by
+  // default, so the flag is a harmless no-op there.
+  const raceExecArgv = ['--experimental-strip-types', '--import', loaderUrl];
   const spawnSaveWorker = (workerData: {
     dbPath: string;
     name: string;