chore: sync package-lock.json with packages/cli ws dependencies#5023
Conversation
|
Thanks for the PR! Template looks good ✓ — all primary sections present (What/Why/Reviewer Test Plan). Missing the secondary "Risk & Scope" and "Linked Issues" headings and the 中文说明 details block, but for a 3-line lockfile sync that's fine — no blocker. On direction: this is a straightforward maintenance fix — On approach: minimal and correct. The diff is exactly the 3 lines Moving on to code review and verification. 🔍 中文说明感谢贡献! 模板基本完整 ✓ — 主要章节(What/Why/Reviewer Test Plan)都有。缺少次要的 "Risk & Scope"、"Linked Issues" 和中文说明折叠块,但对于 3 行的 lockfile 同步来说不影响合入。 方向:这是纯粹的维护性修复 — 方案:最小且正确。diff 恰好是 进入代码审查和验证 🔍 — Qwen Code · qwen3.7-max |
Code ReviewLockfile-only change, 1 file, 3 insertions, 0 deletions. I verified each hunk:
No correctness issues. The diff is exactly what Before (main branch — npm install dirties the tree)After (with this PR's lockfile committed — npm install is clean)PR does exactly what it says. No more, no less. ✅ 中文说明代码审查仅修改 lockfile,1 个文件,3 行新增,0 行删除。逐块验证:
无正确性问题。diff 与在 main 分支干净 checkout 后运行 测试结果修复前(main 分支): PR 准确完成了它声称的事情。不多不少。✅ — Qwen Code · qwen3.7-max |
|
Reflection: this is the kind of PR you just merge. It fixes a real annoyance (dirty working tree on every My independent proposal would have been identical — run Approving. ✅ 中文说明反思:这种 PR 直接合就行。它解决了一个实际的困扰(每次 如果让我自己来做,方案完全一样——跑 批准合入 ✅ — Qwen Code · qwen3.7-max |
qwen-code-ci-bot
left a comment
There was a problem hiding this comment.
LGTM, looks ready to ship. ✅
qwen-code-ci-bot
left a comment
There was a problem hiding this comment.
No issues found. LGTM! ✅ — qwen3.7-max via Qwen Code /review
Code Coverage Summary
CLI Package - Full Text ReportCore Package - Full Text ReportFor detailed HTML reports, please see the 'coverage-reports-22.x-ubuntu-latest' artifact from the main CI run. |
✅ Local A/B verification (real
|
| Check | Result |
|---|---|
main (5854e283) + npm install |
package-lock.json dirtied, exactly +3 lines |
| npm-generated diff vs this PR's diff | byte-identical content changes (all 3 hunks, including the "peer": true flag on the darwin-only package — generated on a Linux install too, so the dirty-tree annoyance hits every platform and this fix is platform-independent) |
merge of PR into main + npm install |
package-lock.json untouched — nothing else in the tree wants to change either |
merged + npm ci |
exit 0, no missing:/invalid: warnings, lockfile untouched |
| Dup check | no other open PR addresses the lockfile desync |
(packages/vscode-ide-companion/NOTICES.txt shows as modified in git status on both sides — that's a pre-existing CRLF line-ending phantom in the repo, content-diff is empty, unrelated to this PR.)
Root cause & severity calibration
ws@^8.18.0 / @types/ws@^8.5.0 were added to packages/cli/package.json by the daemon-mode batch #4490 (merged earlier today) without regenerating the lockfile. Notably, the lockfile already resolves node_modules/ws@8.21.0 (satisfies ^8.18.0) and @types/ws — the missing lines are only the workspace manifest-mirror entries (plus the peer flag). That's why npm ci kept working all along (verified — npm ci passed on main worktrees three times today during other PR verifications, and CI is green); the only symptom is the every-install dirty tree this PR removes. Hygiene fix, correctly scoped, nothing else mixed in.
CI: all three platform Test jobs + Lint + CodeQL green on this PR.
🇨🇳 中文版(点击展开)
✅ 本地 A/B 验证(全新 worktree 上的真实 npm install,Linux)— 精确、完整、可合并
结论:该 lockfile 变更与 npm 在 main 干净检出上自动生成的内容逐字节一致,并完全恢复了安装后工作区的干净状态。已在 Linux 上验证(作者只测了 macOS —— peer 标志那块也是平台无关的,见下)。建议合并。
A/B 结果(全新 worktree,tmux 驱动 npm install,npm 10.9.7 / node v22.22.2)
| 检查项 | 结果 |
|---|---|
main(5854e283)+ npm install |
package-lock.json 变脏,恰好 +3 行 |
| npm 生成的 diff vs 本 PR 的 diff | 内容变更逐字节一致(全部 3 个 hunk,包括 darwin-only 包上的 "peer": true 标志 —— Linux 安装同样会生成,说明每个平台的贡献者都会遇到脏树问题,本修复平台无关) |
PR 合入 main + npm install |
package-lock.json 未被改动 —— 树中也没有其他文件想变 |
合并后 + npm ci |
退出码 0,无 missing:/invalid: 告警,lockfile 未动 |
| 查重 | 无其他开放 PR 处理此失同步 |
(packages/vscode-ide-companion/NOTICES.txt 在两侧的 git status 中都显示为已修改 —— 这是仓库预存在的 CRLF 行尾幻影,内容 diff 为空,与本 PR 无关。)
根因与严重度校准
ws@^8.18.0 / @types/ws@^8.5.0 由今天早些时候合入的 daemon 模式批次 #4490 加进 packages/cli/package.json,但没有重新生成 lockfile。值得注意的是,lockfile 已经包含 node_modules/ws@8.21.0(满足 ^8.18.0)和 @types/ws 的解析条目 —— 缺的只是 workspace 的 manifest 镜像条目(外加 peer 标志)。这正是 npm ci 一直没坏的原因(已验证 —— 今天在其他 PR 验证过程中,我在 main worktree 上跑过三次 npm ci 全部成功,CI 也是绿的);唯一症状就是本 PR 消除的"每次安装树就变脏"。卫生类修复,范围正确,无夹带。
CI:三平台 Test + Lint + CodeQL 在本 PR 上全绿。
What this PR does
Commits the regenerated lockfile so it matches the CLI package's declared dependencies (
wsand@types/ws), which were added to the manifest without updating the lockfile.Why it's needed
On a clean checkout of main, running
npm installdirtiespackage-lock.json— npm adds the two missing entries (plus apeerflag on a transitive darwin-only package) on every install. This makes every contributor's working tree dirty after install and risks the noise leaking into unrelated PRs.Reviewer Test Plan
How to verify
On a clean checkout of this branch, run
npm installand confirmgit statusshows no changes topackage-lock.json. On main, the same steps produce a 3-line lockfile diff.Evidence (Before & After)
N/A — lockfile-only change; the diff is the three entries
npm installgenerates (verified on a clean worktree of latest main).Tested on