Some worked fine, updating the version, resolved, and integrity in package-lock.json[1]
"y18n": { - "version": "3.2.1", + "version": "3.2.2", - "resolved": "https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz", + "resolved": "https://registry.npmjs.org/y18n/-/y18n-3.2.2.tgz", - "integrity": "sha1-bRX7qITAhnnA136I53WegR4H+kE=", + "integrity": "sha512-uGZHXkHnhF0XeeAPgnKfPv1bgKAYyVvmNL1xlKsPYZPaIHxGti2hHqvOCQv71XMsLxu1QjergkqogUnms5D3YQ==", "dev": true }
Some, however, just removed the integrity, set the resolved to an empty string, and didn't change the version
"y18n": { "version": "3.2.1", - "resolved": "https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz", + "resolved": "", - "integrity": "sha1-bRX7qITAhnnA136I53WegR4H+kE=", "dev": true }
At first I thought it was tied to whether there were other changes in the commit, since the first few bad commits I found also had "Dropped .php5 and .inc files from .phpcs.xml" as an additional change, but then I found some bad commits without that additional change:
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PronunciationRecording/+/675654
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikisource/+/675784
https://gerrit.wikimedia.org/r/c/mediawiki/skins/CologneBlue/+/675789
https://gerrit.wikimedia.org/r/c/mediawiki/skins/apex/+/675798
[1] Example good commits:
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/ShoutWikiAds/+/675712
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SmiteSpam/+/675714