[whimblepop]

I got "overblocked" for this one:

  rm -rf node_modules && npm install

but actually if you're only removing `node_modules` and you have a working package-lock.json already, what you want is `npm ci`; `npm install` can mutate package-lock.json and potentially expose you to supply chain attacks. If you use `npm ci` I think you don't need to `rm -rf node_modules`, either.

Anyway you should generally run `npm ci` except when you're deliberately updating your actual dependencies. I'd only permit an `npm install` if I was adding or updating a dependency, or I'd just reviewed an `npm ci` failure.

[gamer191]

But also why would Claude need to run `rm -rf node_modules && npm install`? Without the context of seeing what changes it’s made, I’d be inclined to assume that Claude has added a new dependency, which I definitely don’t wanna blindly trust it to install

[isityettime]

If the shipped package.json and package-lock.json are actually incompatible/incorrect, something like `npm install` is what you need to reconcile them. But that's definitely a weird situation I would rather investigate myself than hand off to an LLM.

[Wirbelwind]

thanks for the pointer! renamed it to npm ci so it's still 'safe'

[whimblepop]

Thanks! Love the game as a whole :)