Skip to content

fix: pin npm for lockfile generation to match publish audit#1659

Closed
ChiragAgg5k wants to merge 1 commit into
mainfrom
fix-cli-lockfile-npm-pin
Closed

fix: pin npm for lockfile generation to match publish audit#1659
ChiragAgg5k wants to merge 1 commit into
mainfrom
fix-cli-lockfile-npm-pin

Conversation

@ChiragAgg5k

Copy link
Copy Markdown
Member

The sdk-for-cli 22.6.1 publish failed at its Audit npm dependencies step, which regenerates package-lock.json with the workflow-pinned npm 11.10.0 and fails on any diff. The committed lock came from update-lockfiles.sh, which used whatever npm is installed locally — npm 11.16.0 in this case, which emits libc fields on optional native-binary entries that 11.10.0 doesn't. The sync_npm_overrides step made it worse: it injected an overrides block into packages[""] that npm 11.10.0's own --package-lock-only output never contains, guaranteeing drift.

Changes:

  1. update-lockfiles.sh now runs lockfile generation through npx -y npm@${SDK_GEN_NPM_VERSION} (default 11.10.0, matching the sdk-for-cli publish workflow pin), instead of the ambient npm.
  2. Removed sync_npm_overrides — npm resolves overrides from package.json at install time and its canonical --package-lock-only output does not include the block in packages[""]; injecting it breaks the audit's git diff --exit-code.
  3. Regenerated templates/cli/package-lock.json.twig with the pinned version. Verified the de-twigged output is a fixed point of the audit's rewrite: running npm@11.10.0 install --package-lock-only over it produces zero diff, and it byte-matches the normalized lock now on sdk-for-cli master (appwrite/sdk-for-cli#339). bun.lock.twig was regenerated and is unchanged.

npm ci && npm run build verified working against the normalized lock. If the publish workflow's npm pin is ever bumped, regenerate with SDK_GEN_NPM_VERSION=<version> ./scripts/update-lockfiles.sh.

@greptile-apps

greptile-apps Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR fixes a recurring publish failure for sdk-for-cli caused by lockfile drift: the local update-lockfiles.sh used whichever npm was installed (recently 11.16.0), while the publish workflow's audit step regenerates the lock with a pinned npm 11.10.0 and fails on any diff.

  • update-lockfiles.sh now invokes lockfile generation through npx -y \"npm@${SDK_GEN_NPM_VERSION}\" (defaulting to 11.10.0) instead of the ambient npm, eliminating the source of version-dependent metadata differences (libc fields, formatting).
  • The sync_npm_overrides helper is removed because npm resolves overrides from package.json at install time and does not write them into packages[\"\"] of the generated lock; the injected block was always causing a diff against the audit's canonical output.
  • templates/cli/package-lock.json.twig is regenerated to match what npm 11.10.0 actually produces, removing libc fields and the overrides block.

Confidence Score: 4/5

The change is safe to merge; it correctly roots out the two sources of lockfile drift without affecting any runtime behaviour of the generated SDKs.

The script change is straightforward and the approach (pin via npx, drop the overrides injection) directly matches the audit workflow's behaviour. The one minor rough edge is that stderr from the npx/npm subprocess is still swallowed with 2>/dev/null, making download or registry failures harder to diagnose, but this is a pre-existing style issue and does not affect correctness.

No files require special attention; the lockfile template regeneration is mechanical and the script logic is easy to follow.

Important Files Changed

Filename Overview
scripts/update-lockfiles.sh Pins lockfile generation to npm@${SDK_GEN_NPM_VERSION} (default 11.10.0) via npx, and removes the sync_npm_overrides function that was injecting an overrides block into packages[""] of the generated lock
templates/cli/package-lock.json.twig Regenerated with npm 11.10.0: removes the overrides block from packages[""] and removes libc fields from optional native-binary entries that newer npm versions added

Fix All in Claude Code Fix All in Codex

Prompt To Fix All With AI
Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
scripts/update-lockfiles.sh:118
**Stderr silently suppressed for npx download failures**

`2>/dev/null` already existed for the ambient-npm invocation, but with `npx -y` there is now an additional failure mode: if the network is unavailable or `npm@11.10.0` cannot be fetched from the registry, `npx` exits non-zero but the error message is discarded. The `set -e` in the script will still abort the run (the missing `package-lock.json` will cause the subsequent `cp` to fail with a generic "No such file" message), but the actual root cause — a network or registry error — is lost. Dropping `2>/dev/null`, or piping stderr to a log file, would surface that signal without breaking the existing quiet-on-success behaviour.

Reviews (1): Last reviewed commit: "(fix): pin npm for lockfile generation t..." | Re-trigger Greptile

mkdir -p "$dir"
strip_twig "$template" > "$dir/package.json"
(cd "$dir" && npm_config_legacy_peer_deps=false npm install --package-lock-only --ignore-scripts --silent 2>/dev/null)
(cd "$dir" && npm_config_legacy_peer_deps=false npx -y "npm@${SDK_GEN_NPM_VERSION}" install --package-lock-only --ignore-scripts --silent 2>/dev/null)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Stderr silently suppressed for npx download failures

2>/dev/null already existed for the ambient-npm invocation, but with npx -y there is now an additional failure mode: if the network is unavailable or npm@11.10.0 cannot be fetched from the registry, npx exits non-zero but the error message is discarded. The set -e in the script will still abort the run (the missing package-lock.json will cause the subsequent cp to fail with a generic "No such file" message), but the actual root cause — a network or registry error — is lost. Dropping 2>/dev/null, or piping stderr to a log file, would surface that signal without breaking the existing quiet-on-success behaviour.

Prompt To Fix With AI
This is a comment left during a code review.
Path: scripts/update-lockfiles.sh
Line: 118

Comment:
**Stderr silently suppressed for npx download failures**

`2>/dev/null` already existed for the ambient-npm invocation, but with `npx -y` there is now an additional failure mode: if the network is unavailable or `npm@11.10.0` cannot be fetched from the registry, `npx` exits non-zero but the error message is discarded. The `set -e` in the script will still abort the run (the missing `package-lock.json` will cause the subsequent `cp` to fail with a generic "No such file" message), but the actual root cause — a network or registry error — is lost. Dropping `2>/dev/null`, or piping stderr to a log file, would surface that signal without breaking the existing quiet-on-success behaviour.

How can I resolve this? If you propose a fix, please make it concise.

Fix in Claude Code Fix in Codex

@ChiragAgg5k

Copy link
Copy Markdown
Member Author

Closing — the twig lockfile templates are the single source of truth for the generated lock files, so the publish audit shouldn't regenerate the lock in CI at all. The drift check is being removed from sdk-for-cli's publish workflow instead; no npm pinning needed here.

@ChiragAgg5k ChiragAgg5k deleted the fix-cli-lockfile-npm-pin branch July 10, 2026 08:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant