Background
npm has accepted RFC #868: npm 12 will block dependency install scripts (postinstall) by default. The cypress package downloads its binary via a postinstall script, so under npm 12 a package-manager install no longer downloads the binary unless the consumer opts in or runs an explicit install.
Impact on the action
index.js installs dependencies with npm ci / yarn --frozen-lockfile / pnpm install --frozen-lockfile (or a custom install-command), then runs npx cypress verify. It relies on the package manager implicitly running postinstall to download the binary.
- Cache hit (steady-state CI): binary restored from
~/.cache/Cypress, unaffected.
- Cache miss / first run / cache-key change: under npm 12,
npm ci won't run postinstall, the binary isn't downloaded, and cypress verify fails. This is the dangerous path — it works for repeat runs but breaks for new repos, dependency bumps, and cache evictions.
This isn't only an npm-12 concern: pnpm and Yarn Berry (≥4.14) already block install scripts by default, so those paths have the same cold-cache failure today unless the user has separately opted in.
Proposed fix
Run an explicit, package-manager-aware cypress install after dependency install, for all package managers (the action already detects it by lockfile):
npm → npx cypress installyarn → yarn cypress installpnpm → pnpm cypress install
Safe to run unconditionally — a no-op when the binary is already present, a download when it isn't.
References
Background
npm has accepted RFC #868: npm 12 will block dependency install scripts (
postinstall) by default. Thecypresspackage downloads its binary via apostinstallscript, so under npm 12 a package-manager install no longer downloads the binary unless the consumer opts in or runs an explicit install.Impact on the action
index.jsinstalls dependencies withnpm ci/yarn --frozen-lockfile/pnpm install --frozen-lockfile(or a custominstall-command), then runsnpx cypress verify. It relies on the package manager implicitly runningpostinstallto download the binary.~/.cache/Cypress, unaffected.npm ciwon't runpostinstall, the binary isn't downloaded, andcypress verifyfails. This is the dangerous path — it works for repeat runs but breaks for new repos, dependency bumps, and cache evictions.This isn't only an npm-12 concern: pnpm and Yarn Berry (≥4.14) already block install scripts by default, so those paths have the same cold-cache failure today unless the user has separately opted in.
Proposed fix
Run an explicit, package-manager-aware
cypress installafter dependency install, for all package managers (the action already detects it by lockfile):npm→npx cypress installyarn→yarn cypress installpnpm→pnpm cypress installSafe to run unconditionally — a no-op when the binary is already present, a download when it isn't.
References