wasteful-npm-global-install

What It Detects

Jobs that use yarn, pnpm, or bun for package management but still run npm install -g npm@latest (or similar npm global upgrade commands).

Why It Matters

Upgrading npm globally adds unnecessary CI overhead (5-15s) when the project uses yarn, pnpm, or bun as its package manager. The npm version on the runner does not affect:

• Dependency resolution (handled by yarn/pnpm/bun)
• Build scripts (run through the project’s package manager)
• Lock file generation (generated by yarn/pnpm/bun)

Example

jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm install -g npm@latest
      - run: yarn install
      - run: yarn build

The npm install -g npm@latest step is wasteful because the job uses yarn for all package management.

Exceptions

The rule does not fire when the same workflow also calls npm publish, since a newer npm version may be relevant for publish behavior.

Suggested Action

Remove the npm install -g npm step. yarn, pnpm, and bun manage their own dependency resolution and do not rely on the npm CLI version on the runner.

Measurement

Compare the job wall-clock time before and after removing the npm global upgrade step.

Compatibility

This rule detects npm install -g npm, npm i -g npm, npm update -g npm, and npm upgrade -g npm. It triggers only when the job also calls yarn install, pnpm install, or bun install.