Outdated package-lock.json version fields

[nmussy]

🐛 Bug Report

What is the problem?

Every package's package-lock.json version field wasn't updated for the 1.8.0 release:

aws-cdk/packages/@aws-cdk/core/package-lock.json

Line 3 in f63bf6f

"version": "1.7.0",

This causes changes when building the application

Reproduction Steps

./install.sh
git status

Environment

• CDK CLI Version: 1.8.0
• Module Version: 1.8.0
• OS: all
• Language: all

Other information

This probably should have been caught by #3451

[eladb]

Thanks for letting us know. No impact to end users, correct?

[nmussy]

Not that I'm aware of, but I can't find a definitive answer. The packages are still published with the correct version.

I found relevant information from the lerna repository to avoid this in the future: lerna#1415

[nmussy]

I've attempted to fix this issue by adding this bootstrap command after the existing publish command:

aws-cdk/bump.sh

Line 13 in 94e05a7

npx lerna publish --force-publish=* --skip-npm --skip-git --repo-version ${ver}

npx lerna bootstrap --ignore-scripts -- --package-lock-only --no-audit

While this bumps the package-locks, it also removes dependencies, for example:

--- a/packages/@aws-cdk/aws-autoscaling-common/package-lock.json
+++ b/packages/@aws-cdk/aws-autoscaling-common/package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "@aws-cdk/aws-autoscaling-common",
-  "version": "1.8.0",
+  "version": "1.9.0",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
@@ -25,18 +25,6 @@
       "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.10.0.tgz",
       "integrity": "sha512-qOebF53frne81cf0S9B41ByenJ3/IuH8yJKngAX35CmiZySA0khhkovshKK+jGCaMnVomla7gVlIcc3EvKPbTQ==",
       "dev": true
-    },
-    "cdk-build-tools": {
-      "version": "file:../../../tools/cdk-build-tools",
-      "dev": true
-    },
-    "cdk-integ-tools": {
-      "version": "file:../../../tools/cdk-integ-tools",
-      "dev": true
-    },
-    "pkglint": {
-      "version": "file:../../../tools/pkglint",
-      "dev": true
     }
   }
 }

[eladb]

I don't think these are important actually in package-lock files. @RomainMuller what do you think?

[RomainMuller]

lerna bootstrap is insufficient as far as I know. It will not do anything with the private packages (which are referenced by path instead of version). Running lerna bootstrap does also not reliably update package-lock.json files as it turns out.

The install.sh script we have runs an additional pass after lerna bootstrap that caters for the private packages & makes sure the package-lock.json files are updated to the best of my understanding of what npm install would have done there.

[RomainMuller]

We no longer use package-lock.json :)