chore: suggest correct lockfile upgrade command

[jonchurch]

What does this PR do?

The flag --frozen-lockfile is a yarn flag, not an npm flag.

If the goal is to only do a lockfile upgrade, not an install, npm i --lockfile-version 3 --package-lock-only is the flag.

But if the intent is to get npm ci or yarn install --frozen-lockfile type divergence protection, neither of those allow writing to the lockfile so they couldn't perform the version upgrade anyways.

Be aware, if there is divergence between the package.json and the lockfile, npm i --package-lock-only will update the lockfile dep tree! But the current command does that as is, in addition to installing all the dependencies.

How did you verify your code works?

We noticed the log message when setting up bun CI with a v1 lockfile lodash/lodash#6023 (comment)

To repro

git clone https://github.com/lodash/lodash

cd lodash

npm i --lockfile-version 3 --frozen-lockfile
git diff package-lock.json # it does the version upgrade
ls node_modules # also installs modules

# reset
git checkout -- .
rm -rf node_modules

npm i --lockfile-version 3 --package-lock-only
git diff package-lock.json # version upgraded
ls node_modules # no modules installed

[coderabbitai]

Walkthrough

Error guidance text in the migration module was updated. The npm upgrade command recommendation changed from --frozen-lockfile to --package-lock-only, updating the method for upgrading the lockfile without changing dependencies.

Changes

Cohort / File(s)	Change Summary
Error Guidance Updates src/install/migration.zig	Updated npm upgrade command from --frozen-lockfile to --package-lock-only in error guidance text

Pre-merge checks

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "chore: suggest correct lockfile upgrade command" directly relates to the main change in the changeset, which updates error guidance text to recommend the correct npm flag (--package-lock-only instead of --frozen-lockfile). The title is concise, clear, and specific enough that a teammate scanning the commit history would understand the primary change involves fixing an incorrect lockfile upgrade command suggestion.
Description Check	✅ Passed	The pull request description contains both required sections from the template. The "What does this PR do?" section is comprehensive, explaining that --frozen-lockfile is a Yarn flag (not npm), and clarifying that --package-lock-only is the correct npm flag for performing a lockfile upgrade. The "How did you verify your code works?" section is similarly complete, providing a detailed reproduction case with specific commands demonstrating the behavioral difference between the two flag approaches. The description is substantive and directly addresses the technical issue rather than being vague or generic.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}