package-lock.json still references old versions of (bumped) local packages

[soulchild]

I don't know whether this is the right place, but I noticed that our package-lock.json still references old versions after running release-it with this plugin. The versions of all local packages are updated, say from 0.12.0 to 0.12.1, but the package-lock.json still references version 0.12.0 for all local packages. Running npm install immediately after creating a new release results in the following error, because the old version of the local package is of course not available anymore:

npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/@myorg%2fmylocalpackage - Not found
npm ERR! 404 
npm ERR! 404  '@myorg/mylocalpackage@^0.12.0' is not in this registry.
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

Deleting and recreating package-lock.json fixes the error, but that's not a favorable workaround.

In contrast to #85 running npm install without removing package-lock.json does not help because it fails with the above error instead of just "fixing" the local package versions.

I'm using Node@18.13.0, npm@8.19.4, release-it@15.6.0 and @release-it-plugins/workspaces@3.2.0.

[soulchild]

@rwjblue I just upgraded to release-it v16.1.0 and @release-it-plugins/workspaces v4.0.0. While cutting a new release I'm still seeing this issue. Maybe I'm doing something terribly wrong, but this makes release-it with workspaces completely unusable for me.

Again, here's what's happening:

Running release-it bumps the version of all local workspace packages and the versions of local dependencies:

package-a/package.json

   "name": "@foo/package-a",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "dependencies": {
-    "@foo/package-b": "^1.0.0",
+    "@foo/package-b": "^1.0.1",
   }

package-b/package.json

   "name": "@foo/package-b",
-  "version": "1.0.0",
+  "version": "1.0.1",

It even bumps the version of the root package in the package-lock.json:

package-lock.json

{
   "name": "@foo/package-a",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "packages": {
     "": {
       "name": "@foo/package-a",
-      "version": "1.0.0",
+      "version": "1.0.1",

But what it doesn't bump is the version of the local workspace packages in the package-lock.json:

{
  "name": "@foo/package-a",
  "version": "1.0.1",     // <-- Cool
  "lockfileVersion": 3,
  "packages": {
    "": {
      "name": "@foo/package-a",
      "version": "1.0.1"     // <-- Cool
    },
    "@foo/package-b": {
      "version": "1.0.0"    // <-- This should be 1.0.1 as well, shouldn't it?
    }
  }
}

Running npm install after release-it now tries to fetch the v1.0.1 version of my local package from the npm registry which of course fails, because I'm not publishing to npm. I suspect this is because the local package-lock.json tells npm that there's no version v1.0.1 of this package (only v1.0.0).

npm ERR! code E404
npm ERR! 404 Not Found - GET https://npm-registry.dg-i.net/@foo%2fpackage-b - no such package available
npm ERR! 404
npm ERR! 404  '@foo/package-b@^1.0.1' is not in this registry.
npm ERR! 404

Any ideas are greatly appreciated! Thanks!

Node version: v18.16.0
npm version: 9.5.1

[soulchild]

After manually patching the line:

- "version": "1.0.0"    // <-- This should be 1.0.1 as well, shouldn't it?
+ "version": "1.0.1"

in my package-lock.json a subsequent npm install run works, so this definitely has got something to do with the problem I'm seeing.

Also, this seems to be something which has changed in recent months because I've been using release-it successfully for over a year now.