hastebin/scripts/refresh-lockfile.sh

#!/bin/sh
# Refresh package-lock.json to apply npm overrides and get latest compatible versions
# This ensures security patches from overrides are actually applied
#
# Usage:
#   ./scripts/refresh-lockfile.sh          # Refresh lock file and install deps
#   ./scripts/refresh-lockfile.sh --check  # Check if refresh needed (for CI)

set -e

cd "$(dirname "$0")/.."

CHECK_MODE=false
if [ "$1" = "--check" ]; then
    CHECK_MODE=true
fi

echo "🔄 Refreshing package-lock.json..."

# Detect hash command (sha256sum on Linux, shasum on macOS)
HASH_CMD=""
if command -v sha256sum >/dev/null 2>&1; then
    HASH_CMD="sha256sum"
elif command -v shasum >/dev/null 2>&1; then
    HASH_CMD="shasum -a 256"
else
    echo "❌ Error: Neither sha256sum nor shasum found"
    exit 1
fi

# Backup current lock file hash for comparison
OLD_HASH=""
if [ -f package-lock.json ]; then
    OLD_HASH=$($HASH_CMD package-lock.json | cut -d' ' -f1)
fi

if [ "$CHECK_MODE" = true ]; then
    # CI mode: generate fresh lock file in temp dir, compare hashes
    TMPDIR=$(mktemp -d)
    cp package.json "$TMPDIR/"
    cd "$TMPDIR"
    npm install --package-lock-only --ignore-scripts 2>/dev/null
    NEW_HASH=$($HASH_CMD package-lock.json | cut -d' ' -f1)
    cd - >/dev/null
    rm -rf "$TMPDIR"
else
    # Local mode: clean and regenerate with full install
    rm -rf node_modules package-lock.json
    npm install
    NEW_HASH=$($HASH_CMD package-lock.json | cut -d' ' -f1)
fi

if [ "$OLD_HASH" = "$NEW_HASH" ]; then
    echo "✅ package-lock.json is up to date"
    exit 0
else
    echo "📦 package-lock.json was updated"
    
    if [ "$CHECK_MODE" = true ]; then
        echo "⚠️  Lock file is out of date - run 'npm run refresh:lockfile' locally"
        exit 1
    fi
    
    echo "✅ Refresh complete - commit the updated package-lock.json"
    exit 0
fi