Skip to content

fix: sync package.json version with published tags, backfill changelog#101

Open
dmchaledev wants to merge 1 commit into
mainfrom
claude/nice-mendel-masbrg
Open

fix: sync package.json version with published tags, backfill changelog#101
dmchaledev wants to merge 1 commit into
mainfrom
claude/nice-mendel-masbrg

Conversation

@dmchaledev

Copy link
Copy Markdown
Contributor

Summary

Closes #94. package.json/package-lock.json on main were still at 1.0.1 while npm has already shipped v1.0.2 and v1.0.3 — because publish.yml only bumped the version inside its own ephemeral job (npm version "$TAG_VERSION" --no-git-tag-version) and never committed that bump back to main. CHANGELOG.md was similarly stuck at 1.0.1 despite grade-changing rule fixes shipping in between (stricter Permissions-Policy scoring, CSP base-uri/bare-scheme checks, etc.), with no record of why a CI gate's result might have changed.

  • Bump package.json/package-lock.json to 1.0.3 (the latest published tag) so security-headers --version reports the truth.
  • Backfill CHANGELOG.md with [1.0.2] and [1.0.3] entries, called out by PR/issue number, including the grading-relevant changes.
  • Fix the root cause in .github/workflows/auto-tag.yml: it now runs npm version itself and commits the release (chore: release vX.Y.Z [skip ci]) alongside the tag it pushes, so main and the published version can no longer drift apart. [skip ci] keeps the release commit from re-triggering CI (and therefore this same workflow).

No source/behavior changes to the library itself — only package.json, package-lock.json, CHANGELOG.md, and the auto-tag workflow.

Test plan

  • npm run typecheck passes
  • npm test passes (85/85)
  • Verified package.json and package-lock.json versions match (1.0.3) and are valid JSON
  • Validated .github/workflows/auto-tag.yml YAML syntax
  • Next green CI run on main will exercise the updated auto-tag workflow end-to-end (commit + tag + push)

🤖 Generated with Claude Code

https://claude.ai/code/session_01GmYTtFbpbcmFtYv7RbJRFL


Generated by Claude Code

package.json/package-lock.json stayed at 1.0.1 because publish.yml only
bumped the version inside its own ephemeral job — the bump was never
committed back to main. Tags v1.0.2/v1.0.3 were published to npm with no
corresponding CHANGELOG entries, so `--version` and the changelog both
misrepresented what was actually shipped (closes #94).

- Bump package.json/package-lock.json to 1.0.3 (the latest published tag)
- Backfill CHANGELOG.md entries for 1.0.2 and 1.0.3
- auto-tag.yml now bumps package.json itself and commits the release
  (with [skip ci]) alongside the tag, so this can't drift again

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01GmYTtFbpbcmFtYv7RbJRFL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

2 participants