Gitpulse
Merged
Size
M
Change Breakdown
CI/CD65%
Security35%
#28503ci: Account for pnpm-workspace changes in bump-versions.mjs

Release pipeline now detects workspace catalog changes

MA
Matsuuu
·Apr 15, 2026

The CI script that determines which packages need version bumps now recognizes changes to pnpm-workspace.yaml catalog entries, enabling security updates without touching package code.

The release pipeline script that decides which packages need version bumps was only watching individual package.json files. When packages reference dependencies through pnpm workspace catalogs, a change to the catalog entry wouldn't trigger version bumps on the affected packages—this broke security update workflows that rely on catalog-level changes.

Packages that use the catalog: specifier for dependencies now get flagged for release when those catalog entries change. Root-level pnpm.overrides changes are also detected and propagate through to dependent packages. The script already tracked dependency chains between packages; this work extends that logic to include workspace-level influences on dependency resolution.

In the monorepo's CI pipeline, packages can now be updated through central catalog changes without manual intervention. Security patches can flow through workspace overrides and catalogs, automatically bumping all downstream packages that depend on the changed entries.

View Original GitHub Description

Summary

The current version of bump-versions.mjs used in the release pipeline only accounts for changes to the actual packages we publish. But as more and more packages rely on catalog: entries from the pnpm workspace, we need to also count changes to that file as package changes.

Without accounting for it, we are not able to push security updates on packages without actually modifying the package contents themselves, which causes a lot of headache.

Also did some general cleanup on the whole file.

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/CAT-2817/

Review / Merge checklist

  • I have seen this code, I have run this code, and I take responsibility for this code.
  • PR title and summary are descriptive. (conventions) <!-- **Remember, the title automatically goes into the changelog. Use `(no-changelog)` otherwise.** -->
  • Docs updated or follow-up ticket created.
  • Tests included. <!-- A bug is not considered fixed, unless a test is added to prevent it from happening again. A feature is not complete without tests. -->
  • PR Labeled with Backport to Beta, Backport to Stable, or Backport to v1 (if the PR is an urgent fix that needs to be backported)
© 2026 · via Gitpulse