fix(ci): replace sed version bump with npm version to prevent script corruption

[Kyzgor]

• What kind of change does this PR introduce?

  Bug fix (CI / release tooling).

• What is the current behavior? (link: CI workflow uses a regexp replace and changed the version script #89)

  The publish workflow (.github/workflows/node_sdk_publish.yaml) bumps the package version before
  publishing with a greedy sed:

  sed -i "s/\"version\": \".*\"/\"version\": \"${{ github.event.release.tag_name }}\"/" package.json
  

  This regex matches every "version": key in package.json, not just the top-level field. The
  scripts block contains "version": "standard-version" (a standard-version lifecycle hook
  invoked by prepare-release: run-s reset-hard test cov:check doc:html version doc:publish). The
  sed run overwrites that script with the release version string. The corruption already happened
  (introduced in commit 2abe31f) and is still live on main today — scripts.version is
  "2.5.2" instead of "standard-version", so the version step of prepare-release is broken.

• What is the new behavior (if this is a feature change)?

  The bump step uses npm's JSON-aware tooling, which only mutates the top-level version field:

  npm version "${{ github.event.release.tag_name }}" --no-git-tag-version --allow-same-version --ignore-scripts
  

  • --no-git-tag-version — no commit/tag created in CI.
  • --ignore-scripts — does not fire the version lifecycle script (standard-version) during the bump.
  • --allow-same-version — tolerates re-runs / a tag equal to the current version.

  package.json's scripts.version is also restored from the corrupted "2.5.2" back to
  "standard-version", and a one-line post-bump assertion in the same step fails the release if
  scripts.version is ever clobbered again. This matches the fix suggested in CI workflow uses a regexp replace and changed the version script #89.

  For the repo's bare-semver release tags the bump is equivalent to the old sed; note npm version
  additionally strips a stray leading v and validates semver (failing fast) where sed wrote the
  tag verbatim — a small improvement, not a behaviour change for current tags.

• Other information:

  Reproduced before/after (same input package.json, tag 9.9.9)

  # input: top-level version = 2.7.5 , scripts.version = "standard-version"
  
  # (A) old sed  → corrupts BOTH:
  sed -i 's/"version": ".*"/"version": "9.9.9"/' package.json
    line 3:  "version": "9.9.9"
    line 50: "version": "9.9.9"          # scripts.version destroyed
  
  # (B) new npm version  → top-level only:
  npm version 9.9.9 --no-git-tag-version --allow-same-version --ignore-scripts
    line 3:  "version": "9.9.9"
    line 50: "version": "standard-version"   # preserved
  # diff vs input: only the top-level version changed; no git tag/commit; no lifecycle script fired
  

  What's NOT in this PR: no broader rewrite of the publish workflow, no standard-version
  automated-release wiring, no dependency changes, no source changes. (A separate, unrelated issue:
  prepare-release also references doc:html/doc:publish scripts that aren't defined — out of
  scope here.)

  The security/snyk (permit) check shows ERROR; this is an external/integration issue on fork PRs
  (this PR adds no dependencies and changes only CI config + a script string). A maintainer re-run or
  waiver would clear it.

  Fixes CI workflow uses a regexp replace and changed the version script #89

[Kyzgor]

The security/snyk (permit) check is in an ERROR state here. This PR changes no dependencies — it only edits the publish workflow's version-bump step and restores a corrupted scripts.version string in package.json — so this looks like an external/integration failure on the Snyk side for fork PRs rather than a vulnerability introduced by the change. Could a maintainer re-run it (or waive it for this fork PR)? Happy to help if anything is needed on my end.

[zeevmoney]

Correct fix — npm version is JSON-aware and only mutates the top-level field, and it strips a leading v from the tag. One small nit.

[zeevmoney]

[LOW] Add a comment explaining the three flags

--no-git-tag-version, --allow-same-version, and --ignore-scripts are non-obvious to a future maintainer.

Suggestion: Prefix with e.g. # bump top-level version only; no git tag, allow re-runs, skip the version lifecycle script.

[Copilot]

Pull request overview

This PR fixes the Node SDK publish workflow’s version-bump step to avoid corrupting package.json by replacing a greedy sed rewrite with npm version, and restores the previously corrupted scripts.version entry.

Changes:

• Replace the CI sed-based version bump with npm version ... --no-git-tag-version --allow-same-version --ignore-scripts to only update the top-level version field.
• Restore package.json’s scripts.version back to standard-version.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
package.json	Restores scripts.version to standard-version so release tooling isn’t broken.
.github/workflows/node_sdk_publish.yaml	Uses npm version (JSON-aware) instead of a greedy sed substitution during publish.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Kyzgor]

Thanks — pushed an update:

• Added the inline comment explaining the three flags (--no-git-tag-version, --allow-same-version, --ignore-scripts).
• On the leading v: npm version strips it and validates semver, where the old sed wrote the tag verbatim — called out in the body. For the repo's bare-semver tags it's equivalent; the v-strip only matters on a v-prefixed tag (an improvement, not a behaviour change for current releases).
• Added a one-line post-bump assertion so the original scripts.version corruption can't silently come back.

Rebased on main; the lone red check is the known fork Snyk quota error.