feat: optimize changelog check for package.json changes

[cryptodev-2s]

Description

This PR significantly improves the changelog check workflow by optimizing package.json change detection, adding support for skipping changelog requirements in common scenarios, and implementing smart changelog section detection for release PRs.

🎯 Enhanced Skip Logic

• Version-only changes: Skip when only the version field is modified
• Dev dependency-only changes: Skip when only devDependencies are modified
• Combined changes: Skip when changes are only version + dev dependencies
• Release PR detection: When version changes are detected, look for changelog entries in the corresponding version section

Fixes

• Changelog checker should not treat package.json as changed if it only has changes to devDependencies #77
• Changelog checker should take a release_candidate or rc flag that checks for entries to be placed in given version rather than Unreleased #78

Examples

✅ Will be skipped (no changelog required):

// Version only
"version": "1.0.0" → "1.0.1"

// Dev dependencies only  
"devDependencies": { "jest": "^27.5.1" → "^27.5.2" }

// Version + dev dependencies
"version": "1.0.0" → "1.0.1"
"devDependencies": { "jest": "^27.5.1" → "^27.5.2" }

❌ Will require changelog:

// Regular dependencies
"dependencies": { "lodash": "^4.0.0" → "^4.1.0" }

// Scripts, main, types, etc.
"main": "index.js" → "dist/index.js"

[mcmire]

I think this looks correct, but I had some suggestions for simplifying the changes.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​semver@​7.3.13 ⏵ 7.7.0
	semver@​7.5.4 ⏵ 7.7.2	+1		+1

View full report

[mcmire]

A few more things I noticed, but I tested this out and everything else looks good.

[cursor]

Bug: Package.json Parsing Fails on Duplicate Lines

The getDevDependencyLines function incorrectly classifies changes within package.json files. It uses findIndex to locate change lines in the full diff output, which always returns the first occurrence. If the same line content appears multiple times (e.g., a dependency change in both dependencies and devDependencies), the function misidentifies its true position. This leads to an incorrect determination of whether a change is within the devDependencies section, potentially causing erroneous changelog requirements (e.g., requiring an entry for a pure dev dependency update) or incorrectly skipping other changes.

src/changelog-check.ts#L150-L163

github-tools/src/changelog-check.ts

Lines 150 to 163 in 5ad7e40

	// Check which nonVersionLines fall within devDependencies sections
	for (const changeLine of nonVersionLines) {
	const lineIndex = allLines.findIndex((line) => line === changeLine);
	if (lineIndex !== -1) {
	// Check if this line falls within any devDependencies section
	const isInDevDeps =
	lineIndex >= devDependencySectionStart &&
	lineIndex <= devDependencySectionEnd;
	if (isInDevDeps) {
	devDependencyLines.push(changeLine);
	}
	}
	}

Fix in Cursor • Fix in Web

---

Bug: Version Parsing Errors Cause Script Crash

The isVersionDowngrade function does not handle errors when creating SemVer objects from oldVersion or newVersion. If these version strings are invalid semantic versions, the SemVer constructor throws an unhandled exception, crashing the script. This bypasses the error handling in the calling analyzePackageJsonChanges function.

src/changelog-check.ts#L174-L180

github-tools/src/changelog-check.ts

Lines 174 to 180 in 5ad7e40

	*/
	const isVersionDowngrade = (
	oldVersion: string,
	newVersion: string,
	): boolean => {
	return new SemVer(newVersion).compare(new SemVer(oldVersion)) < 0;
	};

Fix in Cursor • Fix in Web

---

Was this report helpful? Give feedback by reacting with 👍 or 👎

[mcmire]

LGTM!