Remove package-lock.json

[alexeyr-ci2]

Summary

1. Remove package-lock.json.
2. Add instructions for coding agents so it isn't accidentally added again in the future.

Pull Request checklist

• [ ] Add/update test to cover these changes
• [ ] Update documentation
• [ ] Update CHANGELOG file

---

This change is 

Summary by CodeRabbit

• Documentation
  • Clarified formatting: Prettier is sole authority for non‑Ruby files; RuboCop for Ruby files — never manually format.
  • Updated wording to require using Yarn Classic only; do not run npm commands.
  • Expanded formatting workflow guidance, including when to apply automated fixes.
  • Added CI compliance check to block non‑Yarn lockfiles (except Gemfile.lock).

[coderabbitai]

Walkthrough

Documentation updates clarify formatting responsibilities (Prettier for non‑Ruby, RuboCop for Ruby), mandate Yarn Classic (no npm), and add a CI compliance rule disallowing non‑Yarn lock files (except Gemfile.lock). Minor wording and example cosmetic edits included.

Changes

Cohort / File(s)	Summary of Changes
Formatting policy and workflow CLAUDE.md	Reworded formatting guidance to state Prettier is sole authority for non‑Ruby files and RuboCop for Ruby; added directive to never run npm and to use Yarn Classic only; clarified automated formatting workflow and made minor wording tweaks.
CI compliance checklist CODING_AGENTS.md	Added CI checklist item forbidding package-lock.json and other non‑Yarn lock files (except Gemfile.lock); no runtime logic changes, only documentation and example cosmetic adjustment.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Update instructions to agents on formatting #1794 — Overlapping documentation updates enforcing Prettier/RuboCop formatting guidance and conflict-resolution workflow.

Suggested reviewers

• justin808
• Judahmeek

Poem

A rabbit taps keys with measured delight,
Prettier by day, RuboCop by night.
Yarn-only trails, no npm in sight,
Lockfiles trimmed to keep CI light.
Hop, lint, format—everything tight. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Remove package-lock.json" is concise and directly reflects the PR's primary action—removing package-lock.json and adding guidance to prevent it from being re-added (as shown by edits to CLAUDE.md and CODING_AGENTS.md)—so a reviewer can quickly understand the main change.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch alexeyr/remove-package-lock.json

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5f67d94 and b798615.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• CLAUDE.md (3 hunks)
• CODING_AGENTS.md (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• CLAUDE.md
• CODING_AGENTS.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: dummy-app-integration-tests (3.4, 22)
• GitHub Check: dummy-app-integration-tests (3.2, 20)
• GitHub Check: claude-review
• GitHub Check: build
• GitHub Check: rspec-package-tests (3.4, minimum)
• GitHub Check: rspec-package-tests (3.4, latest)
• GitHub Check: rspec-package-tests (3.2, minimum)
• GitHub Check: rspec-package-tests (3.2, latest)

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[alexeyr-ci2]

Could tell it to look up the packageManager field in package.json, but this seems more reliable. Just need to update this if/when we switch to npm.

[claude]

Pull Request Review

Thank you for this important cleanup PR! I've reviewed the changes and have the following feedback:

✅ Strengths

1. Correct Package Manager Alignment: Removing package-lock.json is the right decision since this project uses Yarn (as evidenced by yarn.lock). Having both lock files can cause dependency conflicts and confusion.

2. Clear Documentation Updates: The updates to CLAUDE.md and CODING_AGENTS.md properly document the package manager policy, which will help prevent accidental reintroduction of npm-related files.

3. Comprehensive Instructions: The addition of "Never run npm commands, only equivalent Yarn Classic ones" and similar guidance provides clear direction for both human and AI contributors.

🎯 Suggestions for Improvement

1. Add to .gitignore: Consider adding package-lock.json to .gitignore to prevent it from being accidentally committed in the future:

   # npm lock file (we use Yarn)
   package-lock.json
   

2. Documentation Formatting: In CODING_AGENTS.md line 92, there appears to be trailing whitespace that should be removed per the project's linting rules.

3. CI/CD Verification: Consider adding a CI check that fails if package-lock.json is present, providing an additional safety net.

🔍 Security & Performance

• Security: No security concerns identified. This change actually improves security by ensuring consistent dependency resolution through a single lock file.
• Performance: No performance impact expected. May actually improve CI build times by avoiding conflicting lock file checks.

📋 Testing Recommendations

Before merging:

1. Run yarn install to ensure all dependencies install correctly
2. Execute bundle exec rubocop to verify documentation files pass linting
3. Run the test suite to ensure no regressions

✅ Overall Assessment

This is a valuable housekeeping PR that improves project consistency. The changes are minimal, focused, and well-documented. Once the minor suggestions above are addressed (particularly adding package-lock.json to .gitignore), this PR is ready to merge.

Approved with minor suggestions 👍

[alexeyr-ci2]

Obsolete.

[alexeyr-ci2]

Wasn't a bad example before.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

CLAUDE.md (1)

42-42: Yarn‑only policy LGTM; add npm usage guard in CI

Policy is clear. Add a CI step to fail if npm is used or if npm‑generated artifacts appear:

- name: Block npm usage
  run: |
    if rg -nP '\bnpm\s+(install|ci|run|publish)\b' -g '!**/node_modules/**' -S .; then
      echo "Detected npm command usage. Use yarn."; exit 1; 
    fi

Also applies to: 127-127

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8678270 and 5f67d94.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• CLAUDE.md (3 hunks)
• CODING_AGENTS.md (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{js,jsx,ts,tsx,json,md,yml,yaml,css,scss,html,graphql,mdx}

📄 CodeRabbit inference engine (CLAUDE.md)

Let Prettier handle all formatting; never manually format code

Files:

• CLAUDE.md
• CODING_AGENTS.md

🧠 Learnings (6)

📓 Common learnings

Learnt from: CR
PR: shakacode/react_on_rails#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-21T00:37:42.807Z
Learning: Applies to {**/*.rb,**/*.rake,**/*.gemspec,Gemfile,Rakefile} : Before every commit/push, run `bundle exec rubocop` and fix all violations; Ruby code must pass RuboCop with zero offenses

Learnt from: CR
PR: shakacode/react_on_rails#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-21T00:37:42.807Z
Learning: Applies to **/*.{js,jsx,ts,tsx,json,md,yml,yaml,css,scss,html,graphql,mdx} : Let Prettier handle all formatting; never manually format code

📚 Learning: 2025-09-21T00:37:42.807Z

Learnt from: CR
PR: shakacode/react_on_rails#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-21T00:37:42.807Z
Learning: Applies to {**/*.rb,**/*.rake,**/*.gemspec,Gemfile,Rakefile} : Before every commit/push, run `bundle exec rubocop` and fix all violations; Ruby code must pass RuboCop with zero offenses

Applied to files:

• CLAUDE.md

📚 Learning: 2025-09-21T00:37:42.807Z

Learnt from: CR
PR: shakacode/react_on_rails#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-21T00:37:42.807Z
Learning: Applies to **/*.{js,jsx,ts,tsx,json,md,yml,yaml,css,scss,html,graphql,mdx} : Let Prettier handle all formatting; never manually format code

Applied to files:

• CLAUDE.md

📚 Learning: 2025-09-21T00:37:42.807Z

Learnt from: CR
PR: shakacode/react_on_rails#0
File: CLAUDE.md:0-0
Timestamp: 2025-09-21T00:37:42.807Z
Learning: Applies to **/*.{js,jsx,ts,tsx} : JavaScript/TypeScript must pass ESLint with zero offenses before committing

Applied to files:

• CLAUDE.md

📚 Learning: 2025-09-16T08:01:11.146Z

Learnt from: justin808
PR: shakacode/react_on_rails#1770
File: lib/generators/react_on_rails/templates/base/base/app/javascript/src/HelloWorld/ror_components/HelloWorld.client.jsx:2-2
Timestamp: 2025-09-16T08:01:11.146Z
Learning: React on Rails uses webpack CSS Modules configuration with namedExports: true, which requires the import syntax `import * as style from './file.module.css'` rather than the default export pattern. This configuration enables better tree shaking and bundle size optimization for CSS modules.

Applied to files:

• CLAUDE.md

📚 Learning: 2025-02-13T14:29:49.267Z

Learnt from: AbanoubGhadban
PR: shakacode/react_on_rails#1644
File: spec/react_on_rails/utils_spec.rb:218-218
Timestamp: 2025-02-13T14:29:49.267Z
Learning: In RSpec tests, prefer using local variables over constants within test blocks to avoid constant redefinition warnings and maintain better test isolation.

Applied to files:

• CODING_AGENTS.md

🪛 GitHub Actions: Lint JS and Ruby

CODING_AGENTS.md

[warning] 1-1: Code style issues found in CODING_AGENTS.md. Run Prettier with --write to fix.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: dummy-app-integration-tests (3.2, 20)
• GitHub Check: dummy-app-integration-tests (3.4, 22)
• GitHub Check: rspec-package-tests (3.4, latest)
• GitHub Check: rspec-package-tests (3.2, latest)
• GitHub Check: rspec-package-tests (3.2, minimum)
• GitHub Check: rspec-package-tests (3.4, minimum)
• GitHub Check: claude-review

🔇 Additional comments (2)

CLAUDE.md (1)

12-12: Formatting ownership language LGTM; align other docs

The “Prettier+RuboCop handle ALL formatting” statements look correct. Ensure CODING_AGENTS.md (Line 20) is updated to remove “format manually” and point to automated formatting commands for consistency.

Also applies to: 46-46

CODING_AGENTS.md (1)

33-33: Add CI guard for non‑Yarn lockfiles and fix Prettier warning

Enforce the checklist in CI (fail on disallowed lockfiles) and fix formatting in CODING_AGENTS.md.

File: CODING_AGENTS.md — checklist at line 33; change the "format manually" note at line 20 to the repo formatter command.

CI guard (add to an existing workflow step):

- name: Disallow non-Yarn lockfiles
  run: |
    set -euo pipefail
    disallowed=(package-lock.json npm-shrinkwrap.json pnpm-lock.yaml bun.lockb)
    found="$(git ls-files "${disallowed[@]}" || true)"
    if [[ -n "$found" ]]; then
      echo "Found disallowed lock files:"; echo "$found"; exit 1
    fi

Formatting: run yarn prettier --write CODING_AGENTS.md and replace the manual-format instruction (line 20) with the repo formatter command (e.g., yarn start format or rake autofix).

[claude]

Code Review for PR #1804: Remove package-lock.json

✅ Overall Assessment

This PR correctly addresses an important issue in the repository's package management consistency. The changes are appropriate and necessary for maintaining a clean development environment.

🎯 Positive Aspects

1. Correct Package Manager Standardization: The removal of package-lock.json is the right decision as this project uses Yarn Classic (confirmed by presence of yarn.lock). Having both lock files can cause dependency conflicts and CI issues.

2. Clear Documentation Updates: The changes to CLAUDE.md properly clarify that:

   • RuboCop handles Ruby formatting
   • Prettier handles non-Ruby file formatting
   • npm commands should never be used

3. Preventive Measures: Adding the check to CODING_AGENTS.md helps prevent future accidental additions of non-Yarn lock files.

📝 Suggestions for Improvement

1. Add .gitignore Entry: Consider adding package-lock.json to the .gitignore file to prevent it from being accidentally committed in the future:

   # Package managers - we use Yarn exclusively
   package-lock.json
   pnpm-lock.yaml
   

2. CI/CD Validation: Consider adding a CI check that fails if package-lock.json is present. This could be a simple script in your CI workflow:

   if [ -f "package-lock.json" ]; then
     echo "Error: package-lock.json found. This project uses Yarn exclusively."
     exit 1
   fi

3. Developer Setup Documentation: While the CLAUDE.md updates are good, consider also updating the main README or CONTRIBUTING.md to make it clear to all developers (not just AI agents) that Yarn is the exclusive package manager.

✔️ Code Quality

• Documentation changes are clear and well-written
• Changes align with project conventions
• No security concerns identified
• The massive deletion (-11,984 lines) is expected for removing a lock file

🧪 Test Coverage

No tests needed for this change as it's purely a build configuration/documentation update.

🔒 Security Considerations

Removing package-lock.json when yarn.lock exists is actually a security improvement as it ensures consistent dependency resolution.

⚡ Performance Impact

This change will prevent potential performance issues caused by conflicting package managers and ensure faster, more reliable installs.

Conclusion

Approved ✅ - This is a necessary housekeeping change that improves the project's build consistency. The only minor suggestion would be to add preventive measures via .gitignore to ensure this doesn't happen again.

Great work on catching this issue and documenting the package manager requirements clearly!

[claude]

Code Review for PR #1804: Remove package-lock.json

✅ Summary

This PR correctly removes the inadvertently committed package-lock.json file and updates documentation to prevent its future introduction. The changes align well with the project's use of Yarn Classic as the standard package manager.

📋 Review Findings

Code Quality & Best Practices ✅

• Documentation updates in CLAUDE.md and CODING_AGENTS.md are clear and consistent
• The clarification that Prettier handles non-Ruby files and RuboCop handles Ruby files is accurate and helpful
• The explicit instruction to use only Yarn Classic commands (not npm) is properly emphasized

Potential Issues ⚠️

While the PR achieves its goals, there are opportunities for additional safeguards:

1. Missing CI validation: The project's CI workflows don't explicitly check for the absence of package-lock.json. Consider adding a validation step.

2. Generator code still references npm: The codebase has multiple references to npm in generators and system checkers (e.g., base_generator.rb:111-114, system_checker.rb:393-394). While these are for compatibility with user projects, they could inadvertently create package-lock.json files.

Performance Considerations ✅

• Removing the 11,984 lines from package-lock.json reduces repository size
• No performance impact on the application itself

Security Concerns ✅

• No security issues identified
• Using a single package manager (Yarn) reduces potential dependency conflicts

Test Coverage ✅

• Existing tests in system_checker_spec.rb already handle the absence of package-lock.json
• No test changes required

💡 Recommendations

1. Add CI validation to prevent accidental commits of package-lock.json (see example workflow step in PR discussion)

2. Consider adding a .gitignore entry for package-lock.json to prevent accidental commits

3. Update generator warnings: When the generators detect package-lock.json in user projects, consider showing a warning that React on Rails recommends Yarn for consistency

✅ Approval

The changes look good and achieve the stated objectives. The PR correctly removes the unwanted file and updates documentation to prevent future occurrences. The suggested improvements above would provide additional safeguards but are not blockers for merging.