Gitpulse
Merged
Size
M
Change Breakdown
CI/CD60%
Bug Fix25%
Feature15%
#28506ci: Account for pnpm-workspace changes in bump-versions.mjs (backport to 1.x)

Release pipeline now detects workspace catalog changes

N8
n8n-assistant
·Apr 15, 2026

The CI script that bumps package versions now tracks changes to pnpm-workspace.yaml catalogs and root overrides, fixing a gap that prevented clean security updates when only workspace configuration changed.

The release pipeline that bumps package versions during releases had a blind spot: it only detected changes to individual files. When packages reference dependencies through pnpm workspace catalogs (like catalog: specifiers) or root-level overrides, changes to those workspace files wouldn't trigger version bumps on affected packages. This meant security updates to catalog entries required adding dummy content changes to packages just to force a version bump.

A small script in now compares the current workspace state against the tagged version, detecting changes to catalog entries and root overrides. When a dependency's catalog version or override value changes, all packages using that dependency are marked as needing a version bump—matching how the pipeline already handled direct changes.

In the n8n monorepo release pipeline, this change ensures security patches reach users correctly, without workarounds.

View Original GitHub Description

Description

Backport of #28503 to 1.x.

Checklist for the author (@Matsuuu) to go through.

  • Review the backport changes
  • Fix possible conflicts
  • Merge to target branch

After this PR has been merged, it will be picked up in the next patch release for release track.

Original description

Summary

The current version of bump-versions.mjs used in the release pipeline only accounts for changes to the actual packages we publish. But as more and more packages rely on catalog: entries from the pnpm workspace, we need to also count changes to that file as package changes.

Without accounting for it, we are not able to push security updates on packages without actually modifying the package contents themselves, which causes a lot of headache.

Also did some general cleanup on the whole file.

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/CAT-2817/

Review / Merge checklist

  • I have seen this code, I have run this code, and I take responsibility for this code.
  • PR title and summary are descriptive. (conventions) <!-- **Remember, the title automatically goes into the changelog. Use `(no-changelog)` otherwise.** -->
  • Docs updated or follow-up ticket created.
  • Tests included. <!-- A bug is not considered fixed, unless a test is added to prevent it from happening again. A feature is not complete without tests. -->
  • PR Labeled with Backport to Beta, Backport to Stable, or Backport to v1 (if the PR is an urgent fix that needs to be backported)
© 2026 · via Gitpulse