Skip to content

fix: audit the committed lockfile without regenerating it in CLI publish workflow#1660

Merged
ChiragAgg5k merged 1 commit into
mainfrom
fix-cli-audit-template
Jul 10, 2026
Merged

fix: audit the committed lockfile without regenerating it in CLI publish workflow#1660
ChiragAgg5k merged 1 commit into
mainfrom
fix-cli-audit-template

Conversation

@ChiragAgg5k

Copy link
Copy Markdown
Member

Template counterpart of appwrite/sdk-for-cli#340.

The CLI publish workflow's audit step rewrote package-lock.json with CI's pinned npm and failed on any diff. Since the lock is generated from package-lock.json.twig (the single source of truth) and npm versions differ in the lockfile metadata they emit (libc fields, overrides placement), the check failed whenever the template was regenerated with a different npm than CI's pin — this blocked the sdk-for-cli 22.6.1 release.

The step now only runs the vulnerability scan against the committed lock:

npm audit --package-lock-only --audit-level=high --omit=dev

Without this template fix, the next CLI regeneration would reintroduce the removed drift check. Lockfile integrity remains covered by npm ci in validation.

@greptile-apps

greptile-apps Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR fixes the CLI publish workflow's audit step, which was failing because npm install --package-lock-only rewrote package-lock.json with CI's pinned npm version — emitting different metadata (libc fields, overrides placement) than the version used to originally generate the file — causing the subsequent git diff --exit-code to fail and blocking releases.

  • The drift check (npm install --package-lock-only + git diff --exit-code) is removed; vulnerability scanning is preserved via npm audit --package-lock-only --audit-level=high --omit=dev.
  • Adding --package-lock-only to the audit command is also more correct in this context because the project installs with bun install --frozen-lockfile, not npm, so there are no npm-managed node_modules for the old npm audit to inspect.

Confidence Score: 5/5

Safe to merge — the change removes a drift check that was producing false failures and retains the vulnerability scan in a more appropriate form for the bun-based build environment.

The edit is a targeted one-line replacement in a CI template. It drops the lockfile regeneration-and-diff check that was inherently broken when CI's pinned npm generates different metadata, and retains npm audit --package-lock-only which is the actual security gate. Adding --package-lock-only to the audit is also more correct since bun (not npm) manages node_modules in this workflow. No logic paths outside this step are affected.

No files require special attention.

Important Files Changed

Filename Overview
templates/cli/.github/workflows/publish.yml Simplifies the 'Audit npm dependencies' step: removes the lockfile drift check (npm install --package-lock-only + git diff) and keeps only the vulnerability scan (npm audit --package-lock-only --audit-level=high --omit=dev). The added --package-lock-only flag is also more correct here since node_modules are installed via bun, not npm.

Reviews (1): Last reviewed commit: "(fix): audit the committed lockfile with..." | Re-trigger Greptile

@ChiragAgg5k ChiragAgg5k merged commit 42a475e into main Jul 10, 2026
58 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant