Skip to content

fix: include npm-shrinkwrap.json in published package#90

Merged
pchuri merged 2 commits intomainfrom
fix/shrinkwrap-publish
Apr 2, 2026
Merged

fix: include npm-shrinkwrap.json in published package#90
pchuri merged 2 commits intomainfrom
fix/shrinkwrap-publish

Conversation

@pchuri
Copy link
Copy Markdown
Owner

@pchuri pchuri commented Apr 2, 2026
edited
Loading

Description

Ensure npm-shrinkwrap.json is actually included in the published npm tarball, kept in sync on each release, and fix a known lodash vulnerability.

Changes:

  • package.json: add npm-shrinkwrap.json to the files array so npm pack includes it
  • .releaserc: add npm-shrinkwrap.json to the @semantic-release/git assets so its version field is bumped and committed alongside package.json on each release
  • npm-shrinkwrap.json: bump lodash from 4.17.23 to 4.18.1 via npm audit fix, resolving GHSA-r5fr-rjxr-66jc (Code Injection) and GHSA-f23m-r3pf-42rh (Prototype Pollution)

Closes #89

Type of Change

  • Bug fix (non-breaking change which fixes an issue)

Testing

  • Tests pass locally with my changes
  • New and existing unit tests pass locally with my changes

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • My changes generate no new warnings

pchuri added 2 commits April 2, 2026 10:14
@pchuri
fix: include npm-shrinkwrap.json in published package
49a0f59 
Add npm-shrinkwrap.json to the files field in package.json so it is
included in the npm tarball. Also add it to .releaserc git assets so
semantic-release commits the updated version on each release.

Closes #89
@pchuri
fix: update lodash to 4.18.1 to resolve known vulnerabilities
7049b3f 
Run npm audit fix to bump lodash from 4.17.23 to 4.18.1, resolving
GHSA-r5fr-rjxr-66jc (Code Injection) and GHSA-f23m-r3pf-42rh
(Prototype Pollution).
@pchuri pchuri merged commit 58ad062 into main Apr 2, 2026
6 checks passed
github-actions bot pushed a commit that referenced this pull request Apr 2, 2026
@semantic-release-bot
chore(release): 1.27.8 [skip ci]
6221a18 
## [1.27.8](v1.27.7...v1.27.8) (2026-04-02)

### Bug Fixes

* include npm-shrinkwrap.json in published package ([#90](#90)) ([58ad062](58ad062)), closes [#89](#89)
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 2, 2026

🎉 This PR is included in version 1.27.8 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

npm-shrinkwrap.json not published

1 participant

@pchuri