`npm config get cache` fails with `EBADDEVENGINES` when requiring newer npm versions in `devEngines`

[patrik-csak]

Description: setup-node fails immediately if the initial npm version doesn't satisfy devEngines.packageManager.version

If a package requires a specific version of Node.js and a specific version of npm, but the built-in npm version is different than the package's required npm version, setup-node fails immediately (at npm config get cache) with EBADDEVENGINES, before there is a chance to install a different version of npm

For example, if my package requires Node.js v22.x and npm v11.10+, npm config get cache fails because Node.js v22 ships with npm v10

Action version: v6.4.0

Platform:

• Ubuntu
• macOS
• Windows

Runner type:

• Hosted
• Self-hosted

Tools version:

• Node.js: 22.22.2
• npm: 10.9.7

Repro steps:

1. Configure package.json

   {
   	"engines": {
   		"node": "^22"
   	},
   	"devEngines": {
   		"packageManager": {
   			"name": "npm",
   			"version": "^11.10.0"
   		}
   	}
   }

2. Call setup-node

   jobs:
     setup-node:
       runs-on: 'ubuntu-latest'
       steps:
         - uses: actions/checkout@v6.0.2
   
         # fails
         - uses: actions/setup-node@v6.4.0
           with:
             node-version-file: package.json
   
         # never runs
         - run: npm --global install npm@^11.10.0

3. setup-node fails

   Run actions/setup-node@v6.4.0
   with:
     node-version-file: package.json
     check-latest: false
     token: ***
     package-manager-cache: true
   
   Resolved package.json as ^22
   Found in cache @ /opt/hostedtoolcache/node/22.22.2/x64
   
   Environment details
   node: v22.22.2
   npm: 10.9.7
   yarn: 1.22.22
   
   Detected npm as the package manager from package.json's packageManager field. Auto caching has been enabled for npm. If you want to disable it, set package-manager-cache input to false
   /opt/hostedtoolcache/node/22.22.2/x64/bin/npm config get cache
   npm error code EBADDEVENGINES
   npm error EBADDEVENGINES The developer of this package has specified the following through devEngines
   npm error EBADDEVENGINES Invalid devEngines.packageManager
   npm error EBADDEVENGINES Invalid semver version "^11.10.0" does not match "10.9.7" for "packageManager"
   npm error EBADDEVENGINES {
   npm error EBADDEVENGINES   current: { name: 'npm', version: '10.9.7' },
   npm error EBADDEVENGINES   required: { name: 'npm', version: '^11.10.0' }
   npm error EBADDEVENGINES }
   

Expected behavior:

I expect setup-node to succeed so that I can immediately install a version of npm required by my project

Actual behavior:

setup-node fails before I can install a version of npm required by my project

---

My use case:

My app requires Node.js v22, so I declare that in package.json.engines:

{
	"engines": {
		"node": "^22"
	}
}

I want to enforce min-release-age, so I add it to .npmrc:

min-release-age = 1

min-release-age was added in npm v11.10.0, so I require npm v11.10+ in package.json.devEngines:

{
	"devEngines": {
		"packageManager": {
			"name": "npm",
			"version": "^11.10.0"
		}
	}
}

---

This is basically the same as #1410, but #1410 was closed with a workaround that only works in certain situations. I created this issue to explain my use case, and my project's constraints, which I think should be pretty standard: require the Maintenance LTS version of Node.js and a newer minimum version of npm

#1410 was closed with this workaround:

The reliable workaround is to specify a Node version in setup-node that already includes the npm version your devEngines.packageManager requires. This ensures the npm version matches your project’s requirements from the start.

This is only possible if your Node.js version is flexible and happens to ship with an npm version that satisfies the project's requirements

---

Related: #529

[chiranjib-swain]

Hi @patrik-csak ,
Thank you for creating this issue. We will investigate it and provide feedback as soon as we have some updates.