Skip to content

fix(scripts): regenerate package-lock.json via npm instead of sed#2639

Merged
kthoms merged 2 commits into
mainfrom
copilot/fix-set-project-version-script
Mar 23, 2026
Merged

fix(scripts): regenerate package-lock.json via npm instead of sed#2639
kthoms merged 2 commits into
mainfrom
copilot/fix-set-project-version-script

Conversation

Copilot AI commented Mar 23, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

set-project-version.sh used sed to replace "version": "<current>" across all package.json and package-lock.json files. Since package-lock.json stores exact versions for every resolved dependency, any npm package that coincidentally shares the project version gets corrupted — e.g. picocolor@1.1.1 became picocolor@1.1.2-SNAPSHOT when the project was bumped from 1.1.1.

Changes

  • Remove package-lock.json from the sed loop — only package.json files are updated via text replacement
  • Exclude node_modules from find when collecting package.json files
  • Regenerate lock files via npm install --package-lock-only — runs in each directory that owns a package-lock.json after its package.json is updated, letting npm produce a correct lock file without touching dependency versions
Original prompt

This section details on the original issue you should resolve

<issue_title>set-project-version.sh replaces unwanted in package-lock.json</issue_title>
<issue_description>## What needs to be done?

The script .github/scripts/set-project-version.sh does an illegal replacement of version in webapps/frontend/package-lock.json and engine-rest/docs/package-lock.json.

In commit 843c2fd the project version was incremented from 1.1.1 to 1.1.2-SNAPSHOT, which also replaced library versions.

The script must only change the project & package version, but not any library version. The package-lock.json file has to be updated via npm install.

Additional context

Image

</issue_description>

Comments on the Issue (you are @copilot in this section)

⌨️ Start Copilot coding agent tasks without leaving your editor — available in VS Code, Visual Studio, JetBrains IDEs and Eclipse.

@kthoms
fix(scripts): use npm install to update package-lock.json instead of sed
b5c47ab 
Fixes the issue where set-project-version.sh incorrectly replaced
library dependency versions in package-lock.json files that happened
to match the current project version.

Changes:
- Remove package-lock.json files from the sed replacement loop
- Exclude node_modules from find commands for package.json
- Add a new step that runs 'npm install --package-lock-only' in each
  directory containing a package-lock.json to correctly regenerate
  the lock file without touching library versions

Co-authored-by: kthoms <265597+kthoms@users.noreply.github.com>
Agent-Logs-Url: https://github.com/operaton/operaton/sessions/7883b528-117e-4def-b7f1-d49cb000503f
Copilot AI changed the title [WIP] Fix set-project-version.sh to only update project version fix(scripts): regenerate package-lock.json via npm instead of sed Mar 23, 2026
Copilot AI requested a review from kthoms March 23, 2026 05:36
@kthoms kthoms marked this pull request as ready for review March 23, 2026 09:25
Copilot AI review requested due to automatic review settings March 23, 2026 09:26
@kthoms kthoms merged commit ef9a922 into main Mar 23, 2026
14 checks passed
@kthoms kthoms deleted the copilot/fix-set-project-version-script branch March 23, 2026 09:26
Copilot AI reviewed Mar 23, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the release/version-bump automation to avoid corrupting dependency versions in package-lock.json by no longer editing lockfiles with sed, and instead regenerating them through npm.

Changes:

  • Update only package.json versions via text replacement (exclude package-lock.json).
  • Exclude node_modules when discovering package.json/package-lock.json files.
  • Regenerate each package-lock.json using npm install --package-lock-only in the corresponding directory.

Comment thread .github/scripts/set-project-version.sh
Comment on lines +60 to +67
PACKAGE_JSON_FILES=($(find . -name package.json -not -path "*/node_modules/*"))

for PACKAGE_JSON_FILE in "${PACKAGE_JSON_FILES[@]}"; do
sed -i '' -e "s/\"version\": \"$CURRENT_VERSION\"/\"version\": \"$NEW_VERSION\"/" $PACKAGE_JSON_FILE
done

echo "🔄 Regenerating package-lock.json files via npm install"
PACKAGE_LOCK_FILES=($(find . -name package-lock.json -not -path "*/node_modules/*"))

Copilot AI Mar 23, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PACKAGE_JSON_FILES=($(find ...)) relies on word-splitting and will break if any path contains whitespace/newlines. Consider using a NUL-delimited find ... -print0 with mapfile -d '' -t (or a while IFS= read -r -d '' loop) to populate the array safely.

Suggested change
PACKAGE_JSON_FILES=($(find . -name package.json -not -path "*/node_modules/*"))
for PACKAGE_JSON_FILE in "${PACKAGE_JSON_FILES[@]}"; do
sed -i '' -e "s/\"version\": \"$CURRENT_VERSION\"/\"version\": \"$NEW_VERSION\"/" $PACKAGE_JSON_FILE
done
echo "🔄 Regenerating package-lock.json files via npm install"
PACKAGE_LOCK_FILES=($(find . -name package-lock.json -not -path "*/node_modules/*"))
PACKAGE_JSON_FILES=()
while IFS= read -r -d '' PACKAGE_JSON_FILE; do
PACKAGE_JSON_FILES+=("$PACKAGE_JSON_FILE")
done < <(find . -name package.json -not -path "*/node_modules/*" -print0)
for PACKAGE_JSON_FILE in "${PACKAGE_JSON_FILES[@]}"; do
sed -i '' -e "s/\"version\": \"$CURRENT_VERSION\"/\"version\": \"$NEW_VERSION\"/" "$PACKAGE_JSON_FILE"
done
echo "🔄 Regenerating package-lock.json files via npm install"
PACKAGE_LOCK_FILES=()
while IFS= read -r -d '' PACKAGE_LOCK_FILE; do
PACKAGE_LOCK_FILES+=("$PACKAGE_LOCK_FILE")
done < <(find . -name package-lock.json -not -path "*/node_modules/*" -print0)

Copilot uses AI. Check for mistakes.
Comment thread .github/scripts/set-project-version.sh
Comment on lines 62 to 64
for PACKAGE_JSON_FILE in "${PACKAGE_JSON_FILES[@]}"; do
sed -i '' -e "s/\"version\": \"$CURRENT_VERSION\"/\"version\": \"$NEW_VERSION\"/" $PACKAGE_JSON_FILE
done

Copilot AI Mar 23, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The in-place edit uses sed -i '', which is BSD/macOS-specific; GNU sed (Ubuntu runners) treats the empty string as a positional arg and fails. Since this script is invoked from GitHub Actions on Ubuntu, consider a portable helper that selects sed -i''/sed -i for GNU sed and sed -i '' for BSD sed.

Copilot uses AI. Check for mistakes.
Comment thread .github/scripts/set-project-version.sh
Comment on lines +66 to +72
echo "🔄 Regenerating package-lock.json files via npm install"
PACKAGE_LOCK_FILES=($(find . -name package-lock.json -not -path "*/node_modules/*"))

for PACKAGE_LOCK_FILE in "${PACKAGE_LOCK_FILES[@]}"; do
PACKAGE_LOCK_DIR=$(dirname "$PACKAGE_LOCK_FILE")
echo " Running npm install --package-lock-only in $PACKAGE_LOCK_DIR"
(cd "$PACKAGE_LOCK_DIR" && npm install --package-lock-only)

Copilot AI Mar 23, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This script now depends on npm being available and on a consistent npm version to avoid lockfile churn. Consider adding an explicit command -v npm check with a clear error, and (for CI) pass --no-audit --no-fund (and optionally --ignore-scripts) to make lock regeneration faster and less noisy.

Copilot uses AI. Check for mistakes.
@sonarqubecloud

sonarqubecloud Bot commented Mar 23, 2026

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
1 Security Hotspot

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@kthoms kthoms kthoms approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@kthoms kthoms

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

set-project-version.sh replaces unwanted in package-lock.json

3 participants

@kthoms