Gitpulse
Merged
Size
M
Change Breakdown
CI/CD55%
Bug Fix35%
Dependencies10%
#28504ci: Account for pnpm-workspace changes in bump-versions.mjs (backport to release-candidate/2.17.x)

pnpm workspace catalog changes now trigger package version bumps

N8
n8n-assistant
·Apr 15, 2026

The release pipeline can now detect when changes to pnpm workspace catalog entries affect packages, enabling security updates without package-level modifications.

When packages in a monorepo reference dependencies using pnpm workspace catalog specifiers, changes to the catalog entries weren't being detected by the release pipeline. This meant security updates couldn't be pushed through the normal release process without actually modifying package files.

The version bumping script now parses and compares pnpm-workspace.yaml alongside package.json changes. When a catalog entry changes, any package that depends on it through a catalog: specifier gets marked for a version bump. The same logic applies to pnpm.overrides changes that affect resolved dependency versions.

This enables the release pipeline to properly handle dependency security updates in monorepo setups, without requiring unnecessary package-level changes just to trigger the process.

View Original GitHub Description

Description

Backport of #28503 to release-candidate/2.17.x.

Checklist for the author (@Matsuuu) to go through.

  • Review the backport changes
  • Fix possible conflicts
  • Merge to target branch

After this PR has been merged, it will be picked up in the next patch release for release track.

Original description

Summary

The current version of bump-versions.mjs used in the release pipeline only accounts for changes to the actual packages we publish. But as more and more packages rely on catalog: entries from the pnpm workspace, we need to also count changes to that file as package changes.

Without accounting for it, we are not able to push security updates on packages without actually modifying the package contents themselves, which causes a lot of headache.

Also did some general cleanup on the whole file.

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/CAT-2817/

Review / Merge checklist

  • I have seen this code, I have run this code, and I take responsibility for this code.
  • PR title and summary are descriptive. (conventions) <!-- **Remember, the title automatically goes into the changelog. Use `(no-changelog)` otherwise.** -->
  • Docs updated or follow-up ticket created.
  • Tests included. <!-- A bug is not considered fixed, unless a test is added to prevent it from happening again. A feature is not complete without tests. -->
  • PR Labeled with Backport to Beta, Backport to Stable, or Backport to v1 (if the PR is an urgent fix that needs to be backported)
© 2026 · via Gitpulse