The `--no-package-lock` workaround was added due to npm bug #4828, where
npm < 11.3.0 generates incomplete lockfiles for packages with optional
platform dependencies (esbuild, rollup).

Optional cross-platform dependencies were restored to
`package-lock.json` in 358f276, so npm will be able to install from the
lock file in the GitHub Actions.

Also, fixed in npm 11.3.0 (Apr 2025), but Node v22 ships npm v10 and
will remain affected out-of-the-box.

Investigation notes follow.

What happened?
--------------

1. Switch from yarn to npm: `package-lock.json` added, `yarn.lock` removed
  - modelcontextprotocol@702f827

  Presumably:
    - run `npm install` to generate a `package-lock.json` from the yarn-managed `node_modules`, on macos
    - bug #4828: npm omitted optional cross-platform dependencies from the lock file

2. Pull 47, tries `npm ci`, and reverts, on 11 Nov 2024
modelcontextprotocol@3789ef9
  - "Try restoring npm ci" --> testing the new node release for the bug?
  - ran against `setup-node`, `node-version: 18`, likely: 18.20.5 (released nov 11, 2024; ~same day)
    - git show 3789ef9:.github/workflows/main.yml

  - Failed action, and logs have expired
    - https://github.com/modelcontextprotocol/inspector/actions/runs/11782443393/job/32817472448

  - https://nodejs.org/en/download/archive/v18.20.5
    - uses npm 10.8.2

  - Re-tried in inspector fork
    - workflow run at 3789ef9
    - change `node-version: 18` to `18.20.5` (exact node / npm on commit date)
    - Fails due to missing `linux-x64-gnu` platform dep (rollup, would similarly affect esbuild)

3. Cross-platform dependencies restored to lockfile on 1 May 2025
modelcontextprotocol#372
  - modelcontextprotocol@358f276
  - worked because `package-lock.json` and `node_modules` were both removed
    - i.e., not the bug conditions -> even npm < 11.3.0 generates correct lockfile

  - At that point, `--no-package-lock` could've been removed from CI, Dockerfile, etc.

NPM
---

npm (aborist) fixed #4828
npm/cli#8184
  - npm/cli#4828 --> frequent http 500, due to many comments
  - npm/cli@a96d8f6
  - will not be backported

Released in 11.3.0 on 8 Apr
npm/cli#8150
  - https://github.com/npm/cli/releases/tag/v11.3.0
    - arborist 9.0.2
    - https://github.com/npm/cli/releases/tag/arborist-v9.0.2

  - npm v11.3.0 ships with node v24.2.0, on 6 May 2025
    - https://nodejs.org/en/download/archive/v24

Node v22 ships npm v10
  - https://nodejs.org/en/download/archive/v22
  - will always be affected, no backport coming

The `--no-package-lock` workaround was added due to npm bug #4828, where
npm < 11.3.0 generates incomplete lockfiles for packages with optional
platform dependencies (esbuild, rollup).

Optional cross-platform dependencies were restored to
`package-lock.json` in 358f276, so npm will be able to install from the
lock file in the GitHub Actions.

Also, fixed in npm 11.3.0 (Apr 2025), but Node v22 ships npm v10 and
will remain affected out-of-the-box.

Investigation notes follow.

What happened?
--------------

1. Switch from yarn to npm: `package-lock.json` added, `yarn.lock` removed
  - modelcontextprotocol@702f827

  Presumably:
    - run `npm install` to generate a `package-lock.json` from the yarn-managed `node_modules`, on macos
    - bug #4828: npm omitted optional cross-platform dependencies from the lock file

  npm can't easily fix this.  `npm install [email protected]` could write a
  resolved dependency, but at the exact version so `foo` would be pinned,
  and semver operator twiddling would be required to restore it as-was.

  The fix would be to "manually" re-add the missing metadata.

2. Pull 47, tries `npm ci`, and reverts, on 11 Nov 2024
modelcontextprotocol@3789ef9
  - "Try restoring npm ci" --> testing the new node release for the bug?
  - ran against `setup-node`, `node-version: 18`, likely: 18.20.5 (released nov 11, 2024; ~same day)
    - git show 3789ef9:.github/workflows/main.yml

  - Failed action, and logs have expired
    - https://github.com/modelcontextprotocol/inspector/actions/runs/11782443393/job/32817472448

  - https://nodejs.org/en/download/archive/v18.20.5
    - uses npm 10.8.2

  - Re-tried in inspector fork
    - workflow run at 3789ef9
    - change `node-version: 18` to `18.20.5` (exact node / npm on commit date)
    - Fails due to missing `linux-x64-gnu` platform dep (rollup, would similarly affect esbuild)

3. Cross-platform dependencies restored to lockfile on 1 May 2025
modelcontextprotocol#372
  - modelcontextprotocol@358f276
  - worked because `package-lock.json` and `node_modules` were both removed
    - i.e., not the bug conditions -> even npm < 11.3.0 generates correct lockfile

  - At that point, `--no-package-lock` could've been removed from CI, Dockerfile, etc.

NPM
---

npm (aborist) fixed #4828
npm/cli#8184
  - npm/cli#4828 --> frequent http 500, due to many comments
  - npm/cli@a96d8f6
  - will not be backported

Released in 11.3.0 on 8 Apr
npm/cli#8150
  - https://github.com/npm/cli/releases/tag/v11.3.0
    - arborist 9.0.2
    - https://github.com/npm/cli/releases/tag/arborist-v9.0.2

  - npm v11.3.0 ships with node v24.2.0, on 6 May 2025
    - https://nodejs.org/en/download/archive/v24

Node v22 ships npm v10
  - https://nodejs.org/en/download/archive/v22
  - will always be affected, no backport coming