You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The pre-release version bump workflow (release-prerelease-pr.yml) calls Update-VersionFiles.ps1 to bump package.json to the next pre-release version but never runs npm install afterward. This leaves package-lock.json with the previous version, creating a mismatch between the two files.
The same gap exists in release-stable.yml for the post-release reset path.
Additionally, because hve-core is a private package ("private": true) and is never published to npm, the dependency-review-action reports it with Null license and Unknown OSSF Scorecard score whenever the version changes. The root package should be excluded from license and OSSF checks.
Root Cause
Lockfile sync: Update-VersionFiles.ps1 updates package.json, package.template.json, marketplace JSON files, plugin JSON files, and .release-please-manifest.json — but does not sync package-lock.json. Both workflows run npm ci before the version bump (to install tools), not after.
License/OSSF warnings: The dependency-review-action queries the npm registry for license and scorecard data. Since hve-core is private and unpublished, the registry returns nothing, producing Null license and Unknown score warnings on every version-bump PR.
Evidence
git log --oneline origin/prerelease/next --author="github-actions" -- package-lock.json returns empty — the bot has never committed a package-lock.json change.
Description
The pre-release version bump workflow (
release-prerelease-pr.yml) callsUpdate-VersionFiles.ps1to bumppackage.jsonto the next pre-release version but never runsnpm installafterward. This leavespackage-lock.jsonwith the previous version, creating a mismatch between the two files.The same gap exists in
release-stable.ymlfor the post-release reset path.Additionally, because
hve-coreis a private package ("private": true) and is never published to npm, thedependency-review-actionreports it withNulllicense andUnknownOSSF Scorecard score whenever the version changes. The root package should be excluded from license and OSSF checks.Root Cause
Update-VersionFiles.ps1updatespackage.json,package.template.json, marketplace JSON files, plugin JSON files, and.release-please-manifest.json— but does not syncpackage-lock.json. Both workflows runnpm cibefore the version bump (to install tools), not after.dependency-review-actionqueries the npm registry for license and scorecard data. Sincehve-coreis private and unpublished, the registry returns nothing, producingNulllicense andUnknownscore warnings on every version-bump PR.Evidence
git log --oneline origin/prerelease/next --author="github-actions" -- package-lock.jsonreturns empty — the bot has never committed apackage-lock.jsonchange.package.jsonbumped to3.3.26whilepackage-lock.jsonremains at3.3.25.hve-core 3.3.26withNulllicense andUnknownOSSF score.Fix
npm install --package-lock-onlyafterUpdate-VersionFiles.ps1in bothrelease-prerelease-pr.ymlandrelease-stable.yml.pkg:npm/hve-coretoallow-dependencies-licensesindependency-review.ymlto exclude the private root package from license and OSSF checks.Affected Files
.github/workflows/release-prerelease-pr.yml.github/workflows/release-stable.yml.github/workflows/dependency-review.yml