Skip to content

fix: audit the committed lockfile without regenerating it#340

Merged
ChiragAgg5k merged 2 commits into
masterfrom
fix-audit-no-lock-regen
Jul 10, 2026
Merged

fix: audit the committed lockfile without regenerating it#340
ChiragAgg5k merged 2 commits into
masterfrom
fix-audit-no-lock-regen

Conversation

@ChiragAgg5k

Copy link
Copy Markdown
Member

The publish workflow's audit step rewrote package-lock.json with CI's pinned npm and failed on any diff. That check asserts CI's npm version can byte-reproduce the committed lock — but the lock is generated from sdk-generator's package-lock.json.twig (the single source of truth), and npm versions differ in the lockfile metadata they emit (libc fields, overrides placement). This is what blocked the 22.6.1 release until the lock was hand-normalized in #339.

The step now only runs the vulnerability scan against the committed lock:

npm audit --package-lock-only --audit-level=high --omit=dev

--package-lock-only reads the lockfile directly (no install, no rewrite). Verified locally with npm 11.10.0: audit passes and the lock is untouched.

Lockfile integrity is still covered — Build Validation runs npm ci, which fails if the lock and package.json are out of sync.

@greptile-apps

greptile-apps Bot commented Jul 10, 2026

Copy link
Copy Markdown

Greptile Summary

This PR fixes a fragile CI step in the publish workflow that caused the 22.6.1 release to stall. The old audit step regenerated package-lock.json using CI's pinned npm and then failed on any resulting diff, but different npm versions emit slightly different lockfile metadata (e.g. libc fields, overrides placement), making byte-exact reproduction impossible.

  • The three-command block (npm install --package-lock-only, git diff --exit-code, npm audit) is replaced with a single npm audit --package-lock-only --audit-level=high --omit=dev, which reads the committed lockfile directly without touching it.
  • Lockfile integrity (lock vs. package.json consistency) continues to be enforced by npm ci in the separate Build Validation workflow, so no safety net is lost.

Confidence Score: 5/5

Safe to merge — the change is minimal, the vulnerability scan is fully preserved, and lockfile integrity remains enforced by the separate Build Validation workflow.

The single changed step removes a lockfile-regeneration check that was incorrectly asserting byte-exact npm output across different npm versions, replacing it with a read-only audit that achieves the actual goal. All existing safety nets remain intact.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/publish.yml Replaces the three-command audit step (install → diff check → audit) with a single npm audit --package-lock-only call, removing the brittle lockfile-regeneration check while preserving vulnerability scanning.

Reviews (2): Last reviewed commit: "(cleanup): drop explanatory comment from..." | Re-trigger Greptile

@ChiragAgg5k ChiragAgg5k merged commit b52cc65 into master Jul 10, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants