fix: normalize package-lock.json to npm 11.10.0 output for publish audit#339
Merged
Conversation
loks0n
approved these changes
Jul 10, 2026
This was referenced Jul 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The 22.6.1 publish run failed at the
Audit npm dependenciesstep: the committedpackage-lock.jsoncame from the sdk-generator template (generated with npm 11.16.0, which writeslibcfields and anoverridesblock inpackages[""]), but the workflow pins npm 11.10.0, whosenpm install --package-lock-onlyrewrite drops those fields — sogit diff --exit-code package-lock.jsonfails.This commits the npm 11.10.0-normalized lock, which is verified to be a fixed point of the audit's rewrite (a second
--package-lock-onlyrun produces zero diff).npm ci && npm run buildverified working with the normalized lock.Follow-up needed in appwrite/sdk-generator: regenerate
package-lock.json.twigwith npm 11.10.0 (or align the workflow pin andupdate-lockfiles.shon one npm version), otherwise the next SDK regeneration reintroduces the drift.