chore: merge base branch changes (package-lock.json sync, RELEASE_BOT_TOKEN, node 24.x, comment fix)

Co-authored-by: Azgaar <26469650+Azgaar@users.noreply.github.com>

.github/workflows/bump-version.yml

@@ -21,13 +21,13 @@ jobs:
         with:
           # fetch-depth 2 so git diff HEAD~1 HEAD works for detecting changed files
           fetch-depth: 2
-          # Use a token so the pushed commit triggers deploy.yml
+          # Use a PAT/GitHub App token so the pushed commit can trigger deploy.yml and other workflows
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.RELEASE_BOT_TOKEN }}
 
       - name: Set up Node
         uses: actions/setup-node@v6
         with:
-          node-version: lts/*
+          node-version: '24.x'
           cache: npm
 
       - name: Determine bump type from PR labels

public/versioning.js

@@ -5,7 +5,7 @@
  * We use Semantic Versioning: major.minor.patch. Refer to https://semver.org
  * Our .map file format is considered the public API.
  *
- * Update the version on each merge to main:
+ * Update the version on each merge to master:
  * 1. MAJOR version: Incompatible changes that break existing maps
  * 2. MINOR version: Additions or changes that are backward-compatible but may require old .map files to be updated
  * 3. PATCH version: Backward-compatible bug fixes and small features that don't affect the .map file format

scripts/bump-version.js

@@ -7,6 +7,7 @@
  * Updates:
  *   - public/versioning.js   — VERSION constant
  *   - package.json           — "version" field
+ *   - package-lock.json      — top-level "version" and packages[""].version fields
  *   - src/index.html         — ?v= cache-busting hashes for changed public/*.js files
  *   - public/**\/*.js        — ?v= cache-busting hashes in dynamic import() calls
  *
@@ -29,6 +30,7 @@ const {execSync} = require("child_process");
 
 const repoRoot = path.resolve(__dirname, "..");
 const packageJsonPath = path.join(repoRoot, "package.json");
+const packageLockJsonPath = path.join(repoRoot, "package-lock.json");
 const versioningPath = path.join(repoRoot, "public", "versioning.js");
 const indexHtmlPath = path.join(repoRoot, "src", "index.html");
 
@@ -139,6 +141,22 @@ function updatePackageJson(newVersion, dry) {
   console.log(`  package.json          ${oldVersion}  →  ${newVersion}`);
 }
 
+function updatePackageLockJson(newVersion, dry) {
+  if (!fs.existsSync(packageLockJsonPath)) {
+    console.log("  package-lock.json     (not found, skipping)");
+    return;
+  }
+  const original = readFile(packageLockJsonPath);
+  const lock = JSON.parse(original);
+  const oldVersion = lock.version;
+  lock.version = newVersion;
+  if (lock.packages && lock.packages[""]) {
+    lock.packages[""].version = newVersion;
+  }
+  if (!dry) writeFile(packageLockJsonPath, `${JSON.stringify(lock, null, 2)}\n`);
+  console.log(`  package-lock.json     ${oldVersion}  →  ${newVersion}`);
+}
+
 function updateIndexHtmlHashes(changedFiles, newVersion, dry) {
   if (changedFiles.length === 0) {
     console.log("  src/index.html        (no changed public/*.js files detected)");
@@ -299,6 +317,7 @@ async function main() {
   const changedFiles = getChangedPublicJsFiles();
   updateVersioningJs(newVersion, dry);
   updatePackageJson(newVersion, dry);
+  updatePackageLockJson(newVersion, dry);
   updateIndexHtmlHashes(changedFiles, newVersion, dry);
   updatePublicJsDynamicImportHashes(changedFiles, newVersion, dry);