fix(superset): Patch pinned packages and re-generate lock file

[Techassi]

This PR pins the @types/offscreencanvas package of Superset (frontend) 4.1.4 to 2019.7.0 in order to fix the following issue encountered since the last few scheduled CI runs. Additionally, it adds a patch with a re-generated package-lock.json file which fully fixes the following error:

Invalid: lock file's @types/offscreencanvas@2019.7.0 does not satisfy @types/offscreencanvas@2019.7.3

This error is very similar to errors fixed in #1363, #1315, and #1316. This is a known weakness/bug in npm.

Test builds in CI:

• https://github.com/stackabletech/docker-images/actions/runs/24068907048 (failed)
• https://github.com/stackabletech/docker-images/actions/runs/24134252438 (succeeded)

[Techassi]

Well, now I'm even more confused:

2026-04-07T07:15:38.9532090Z #64 125.8 npm error `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
2026-04-07T07:15:38.9537843Z #64 125.8 npm error
2026-04-07T07:15:38.9538287Z #64 125.8 npm error Missing: @swc/helpers@0.5.21 from lock file
2026-04-07T07:15:38.9538880Z #64 125.8 npm error Missing: tslib@2.8.1 from lock file

[Techassi]

Okay one image build succeeded, one failed because of an unsuccessful SSL/TLS handshake. Re-running.

[Techassi]

Well, the image builds this PR was supposed to fix are failing because of the error above.

[Techassi]

Okay I tried pinning to 2019.7.3 instead, but that resulted in:

161.3 npm error `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
161.3 npm error
161.3 npm error Invalid: lock file's @types/offscreencanvas@2019.7.0 does not satisfy @types/offscreencanvas@2019.7.3
161.3 npm error Missing: @swc/helpers@0.5.21 from lock file
161.3 npm error Missing: tslib@2.8.1 from lock file

So yeah, we apparently need even more doctoring to get this fixed. npm is just very, very weird :/

[dervoeti]

So currently we decided to play whack-a-mole with patches, which I think is a good approach if we want to try to guarantee we use the same dependencies as upstream used when building the product. It is annoying however.

The problem seems to be that the lockfile is somewhat broken and does not pin all dependencies correctly.

It seems like NPM has fixed some bugs related to lockfile generation in newer versions (e.g. npm/cli#8981). So what we could try to do: regenerate package-lock.json with the latest version of NPM and commit that as a patch (will be a huge diff though). And then use that NPM version inside the Dockerfile to build the Superset frontend. That might remove the need for playing whack-a-mole with dependency pinning.

[Techassi]

That approach definitely also crossed my mind. I can first try to only use a newer npm version before regenerating the whole lock file.

[dervoeti]

You can try it, but I think the problem is that the lockfile does not lock everything properly 😕 With a newer version the lockfile should contain more dependencies.

[Techassi]

You can try it

I tried, and failed. Re-generating the lock file fixed it.

[NickLarsenNZ]

LGTM, but I would recommend using the container image (also keeps the Dockerfile simpler)