fix: audit the committed lockfile without regenerating it in CLI publish workflow#1660
Conversation
Greptile SummaryThis PR fixes the CLI publish workflow's audit step, which was failing because
Confidence Score: 5/5Safe to merge — the change removes a drift check that was producing false failures and retains the vulnerability scan in a more appropriate form for the bun-based build environment. The edit is a targeted one-line replacement in a CI template. It drops the lockfile regeneration-and-diff check that was inherently broken when CI's pinned npm generates different metadata, and retains npm audit --package-lock-only which is the actual security gate. Adding --package-lock-only to the audit is also more correct since bun (not npm) manages node_modules in this workflow. No logic paths outside this step are affected. No files require special attention. Important Files Changed
Reviews (1): Last reviewed commit: "(fix): audit the committed lockfile with..." | Re-trigger Greptile |
Template counterpart of appwrite/sdk-for-cli#340.
The CLI publish workflow's audit step rewrote
package-lock.jsonwith CI's pinned npm and failed on any diff. Since the lock is generated frompackage-lock.json.twig(the single source of truth) and npm versions differ in the lockfile metadata they emit (libcfields,overridesplacement), the check failed whenever the template was regenerated with a different npm than CI's pin — this blocked the sdk-for-cli 22.6.1 release.The step now only runs the vulnerability scan against the committed lock:
npm audit --package-lock-only --audit-level=high --omit=devWithout this template fix, the next CLI regeneration would reintroduce the removed drift check. Lockfile integrity remains covered by
npm ciin validation.