Skip to content

feat: regenerate lockfile via npm i --package-lock-only in release skill#231

Merged
j4rviscmd merged 3 commits into
mainfrom
feat/release-package-lock-fix
Jul 5, 2026
Merged

feat: regenerate lockfile via npm i --package-lock-only in release skill#231
j4rviscmd merged 3 commits into
mainfrom
feat/release-package-lock-fix

Conversation

@j4rviscmd

Copy link
Copy Markdown
Owner

Summary

Replaces the brittle sed-based package-lock.json version replacement in the release skill with npm i --package-lock-only, and adds a mandatory diff verification step. Also syncs stale lockfile versions missed in recent releases.

Changes

Release skill improvements (.claude/skills/release/SKILL.md)

  • Step 4: Replaced sed-based package-lock.json / extensions/copilot/package-lock.json version string replacement with npm i --package-lock-only (root & extensions/copilot/)
  • Step 4: Added mandatory git diff verification after lockfile regeneration to catch unexpected dependency changes (e.g. indirect dependency updates)
  • Step 0 task 4 description: Updated to reflect the new regeneration method and diff verification step
  • Guardrails: Added a rule prohibiting sed-based lockfile editing (collision risk with other dependency version strings, integrity risk)
  • Spec table: Updated package-lock.json rows to note npm i --package-lock-only regeneration

Stale lockfile sync

  • Synced package-lock.json and extensions/copilot/package-lock.json versions (1.122.0-coderm.0.26.01.122.0-coderm.0.28.0) that were missed in the last 2 releases (0.27.0, 0.28.0) due to the brittle sed approach
  • Confirmed via git diff that only version references changed (no unexpected dependency updates)

Why

The previous sed approach replaces the version string globally, which:

  • Risks colliding with other dependency version strings in the lockfile
  • Can silently fail on Windows/GNU sed (sed -i '' is BSD/macOS-only)
  • Actually caused version update misses in recent releases (lockfile stayed at 0.26.0 while package.json advanced to 0.28.0)

npm i --package-lock-only regenerates the lockfile safely without touching node_modules, and picks up package.json#version changes correctly.

Verification

  • npm i --package-lock-only on root updates only version (2 places)
  • npm i --package-lock-only on extensions/copilot/ updates only engines.vscode (1 place)
  • No unexpected dependency changes in the diff

j4rviscmd and others added 3 commits July 5, 2026 23:23
Co-Authored-By: Claude <noreply@anthropic.com>
Replace sed-based package-lock.json version replacement with
`npm i --package-lock-only` for both root and extensions/copilot,
and add a mandatory git diff verification step to catch unexpected
dependency changes after regeneration.

Also syncs stale lockfile versions (1.122.0-coderm.0.26.0 ->
1.122.0-coderm.0.28.0) missed in recent releases due to the brittle
sed approach being replaced.

Co-Authored-By: Claude <noreply@anthropic.com>
@j4rviscmd j4rviscmd added the enhancement New feature or request label Jul 5, 2026
@j4rviscmd j4rviscmd merged commit 075f188 into main Jul 5, 2026
3 checks passed
@j4rviscmd j4rviscmd deleted the feat/release-package-lock-fix branch July 5, 2026 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant