Root package-lock.json file not updated by release-pr in monorepo using npm workspaces

[jeremiah-clothier]

Environment details

• Node.js version: 18.15.0
• npm version: 9.5.0
• release-please version: Latest (I'm using google-github-actions/release-please-action@v3)

Steps to reproduce

1. View the PR generated by release-please release-pr in my demo repo (chore: release main jeremiah-clothier/release-please-demo#2)
2. Checkout the PR branch release-please--branches--main
3. Run npm install locally

Actual Behavior: The ./package-lock.json file updates (see diff at bottom of PR description)
Expected Behavior: The ./package-lock.json file should be updated as part of the PR commit from release-please

Additional notes

This behavior is slightly annoying because it requires you to manually checkout the PR branch, run npm install, and commit the changes prior to merging the PR.

Any help on this would be much appreciated 💜 !

---

Example diff (from demo repo)

Diff when running `npm install` on the PR branch `release-please--branches--main`

{
  "name": "my-app",
  "version": "0.0.1.development",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "my-app",
      "version": "0.0.1.development",
      "license": "UNLICENSED",
      "workspaces": [
        "lib/*"
      ],
      "dependencies": {
        "clothiernamedjeremiah-package-one": "^1.0.0",
        "clothiernamedjeremiah-package-two": "^1.0.0"
      }
    },
    "lib/package-one": {
      "name": "clothiernamedjeremiah-package-one",
-      "version": "1.0.1",
+      "version": "1.0.1",
      "license": "UNLICENSED"
    },
    "lib/package-two": {
      "name": "clothiernamedjeremiah-package-two",
-      "version": "1.0.0",
+      "version": "1.0.1",
      "license": "UNLICENSED"
    },
    "node_modules/clothiernamedjeremiah-package-one": {
      "resolved": "lib/package-one",
      "link": true
    },
    "node_modules/clothiernamedjeremiah-package-two": {
      "resolved": "lib/package-two",
      "link": true
    }
  }
}

[jeremiah-clothier]

I tried finding a workaround by adding extra-files, but is seems it's not possible to update files outside of the workspace library (https://github.com/googleapis/release-please/blob/main/src/strategies/base.ts#L674-L677).

"extra-files": [
    {
      "type": "json",
      "path": "~package-lock.json",
      "jsonpath": "$['packages']['lib/package-one']['version']"
    },
    {
      "type": "json",
      "path": "~package-lock.json",
      "jsonpath": "$['packages']['lib/package-two']['version']"
    }
  ]

[wesleytodd]

This results in some odd behavior if you attempt to npm ci in a consecutive workflow, for example to automate the actual publish. I was thinking maybe there was an option to do "post commands" before the PR is created, but that does not appear to be the case. There is also no way to modify the PR because a workflow opened PR does not then trigger a new event. I was thinking maybe I could try having a step after release please in the same workflow, but haven't tried that yet.

Anyway, would be great if this action could update the lock, or provide some way for users to do it with their preferred package manager between the version bump and creating the PR.

[wesleytodd]

Yeah, looks like this file needs to take into account monoreos: https://github.com/googleapis/release-please/blob/main/src/updaters/node/package-lock-json.ts#L30-L39

I guess something with versionsMap from here? I think the issue is that versionMap looks to be the package name, not the path.