Tighten node requirements

[romaricpascal]

Tightens our requirements on Node version to an exact version and updates to the latest Node and npm version (that second part can be extracted in its own PR or left).

This has been prefered over loosening our requirements on the npm version as running 11.8.0 on a package-lock.json generated with 11.6.2 errored from missing dependencies in the package-lock file.

Why

We had a couple of CI fails from Dependabot updates:

• https://github.com/alphagov/govuk-frontend/actions/runs/22199182869/job/64207330184?pr=6756
• https://github.com/alphagov/govuk-frontend/actions/runs/22193376028/job/64187136429?pr=6755

These updates try to install our project using npm@11.8.0 where our engines field
in package.json specifies npm@11.6.2 (as an exact version).

PRs not updating package.json and package-lock.json seem unaffected (for now), so benefit from the cached dependencies on CI.

In more details

As those PRs are Dependabot updates, package.json and package-lock.json have been updated,
so dependencies are not cached and npm runs.

There's a mix of things happening:

• our nvmrc file only lists 24, which resolves to 24.13.1. That version installs npm at 11.8.0 (deps: upgrade npm to 11.8.0 nodejs/node#61466 via https://nodejs.org/en/blog/release/v24.13.1)
• our package.jsons expects node at ^24.11.0 which 24.13.1 satisfies
• however our package.jsons file have a strict requirement for npm at 11.8.0, which 11.8.0 does not satisfy.

Because .nvmrc only controlls the version of Node being installed, not npm, having one with a loose requirement and one with a tight requirement led to the current situation.

Because there are issues running 11.8.0 with a lockfile from 11.6.2, best to tighten the requirements on Node rather than loosen them.

We should keep an eye on Node's releases to pick up new LTS releases.

[github-actions]

📋 Stats

No changes to any distributed file sizes!

---

Action run for b6c8686

[colinrotherham]

Probably don't do this 😬

It looks like Dependabot still generates package-lock.json updates using npm v11.7.0 until this merges:

• Bump npm to 11.8.0 dependabot/dependabot-core#14141

Similarly back in the day, unless the semver ranges matched then npm link didn't work across Node.js versions (e.g. when linking a local GOV.UK Frontend build to your local GOV.UK Design System)

This was because tools like nvm and asdf shim node and npm to run from different directories.

Missing dependencies

This has been prefered over loosening our requirements on the npm version as running 11.8.0 on a package-lock.json generated with 11.6.2 errored from missing dependencies in the package-lock file.

Instead, missing packages that are automatically added or removed (depending on npm version) can often be made stable again by resolving semver resolution issues in peer and optional packages by doing this:

npm update --save
npm dedupe

Mismatch warnings

This PR will also affect contributors on different Node.js versions managed by their admins or app stores

Mismatch warnings will be logged by npm like this:

npm warn EBADENGINE Unsupported engine {
npm warn EBADENGINE   package: undefined,
npm warn EBADENGINE   required: { node: '24.13.1', npm: '11.8.0' },
npm warn EBADENGINE   current: { node: 'v24.13.0', npm: '11.10.1' }
npm warn EBADENGINE }

Or errors for when the engine-strict config flag is set

npm error code EBADENGINE
npm error engine Unsupported engine
npm error engine Not compatible with your version of node/npm: undefined
npm error notsup Not compatible with your version of node/npm: undefined
npm error notsup Required: {"node":"24.11.0","npm":"11.6.1"}
npm error notsup Actual:   {"node":"v24.13.0","npm":"11.10.1"}

Unless they're fully comfortable with and have access to nvm install etc

[romaricpascal]

@colinrotherham Cheers for pointing that out. I'll try to see if relaxing the range for npm in our engines and fixing the dependencies with npm update gets us anywhere 😊