feat: lock semantic-release publish dependencies by styfle · Pull Request #1327 · vercel/ncc (original) (raw)

We have a problem where semantic-release is only called in ci.yml but it doesnt have a lockfile which means transitive dependencies could change.

I think the reason it was set up this way is to avoid slowing down CI for PRs that don't publish since they wont need to install semantic-release (40MB). Only main needs to publish.

The fix is to add a new publish directory with its own lock file, then we can install and invoke the bin from the publish directory to ensure dependencies are locked.