fix: always upgrade lock files and show output on failure in upgrade-packs.sh

Copilot · data-douser · web-flow · commit 81540ab98e30 · 2026-03-29T22:54:27.000Z
- Move `codeql pack upgrade` before the wildcard check so wildcard packs (e.g., javascript/examples/src) still get their lock files refreshed; only skip the pinning step for wildcard deps - Capture `codeql pack upgrade` output and print it to stderr on failure instead of silencing all output with >/dev/null 2>&1 - Update inline comment to reflect the new behaviour Agent-Logs-Url: https://github.com/advanced-security/codeql-development-mcp-server/sessions/7483057a-9273-4f33-aa96-a2f662c84d44 Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>
diff --git a/server/scripts/upgrade-packs.sh b/server/scripts/upgrade-packs.sh
@@ -83,7 +83,8 @@ cd "${REPO_ROOT}"
 ## Strategy: run `codeql pack upgrade` first to resolve the latest compatible
 ## version into the lock file, then read the resolved version back and update
 ## the codeql-pack.yml to pin that exact version. Packs with wildcard
-## dependencies (e.g., '*') are skipped — those intentionally float.
+## dependencies (e.g., '*') still get their lock files upgraded, but the
+## pinning step is skipped — those versions intentionally float.
 pin_upstream_dep() {
 	local pack_dir="$1"
 	local pack_yml="${pack_dir}/codeql-pack.yml"
@@ -105,15 +106,22 @@ pin_upstream_dep() {
 	dep_name=$(echo "${dep_line}" | sed 's/^[[:space:]]*//' | cut -d: -f1)
 	dep_old_version=$(echo "${dep_line}" | sed 's/^[^:]*:[[:space:]]*//')
 
-	## Skip wildcard dependencies — these intentionally float
+	## Always run codeql pack upgrade so the lock file stays in sync with
+	## the CLI, even for packs with wildcard dependencies that intentionally
+	## float. Only the pinning step is skipped for wildcard deps.
+	local upgrade_output
+	if ! upgrade_output=$(codeql pack upgrade -- "${pack_dir}" 2>&1); then
+		echo "  ❌ codeql pack upgrade failed for ${pack_dir}:" >&2
+		echo "${upgrade_output}" >&2
+		return 1
+	fi
+
+	## Skip pinning for wildcard dependencies — these intentionally float
 	if [[ "${dep_old_version}" == *"*"* ]]; then
-		echo "  ℹ️  ${dep_name}: ${dep_old_version} (wildcard — skipping)"
+		echo "  ℹ️  ${dep_name}: ${dep_old_version} (wildcard — lock file upgraded, pinning skipped)"
 		return
 	fi
 
-	## Run codeql pack upgrade to resolve the latest compatible version
-	codeql pack upgrade -- "${pack_dir}" >/dev/null 2>&1
-
 	if [[ ! -f "${lock_file}" ]]; then
 		echo "  ⚠️  No lock file after upgrade for ${pack_dir}" >&2
 		return
