happyskills 0.27.1 → 0.27.2

package/CHANGELOG.md

@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/).
 
 ## [Unreleased]
 
+## [0.27.2] - 2026-04-02
+
+### Fixed
+- Fix `publish` not syncing dependency declarations to the lock file when publishing an existing skill — the lock entry's `dependencies` field was stale after publish
+- Fix `refresh` not detecting dependency drift — skills whose lock `dependencies` diverged from the installed `skill.json` were incorrectly reported as up-to-date because the staleness check was purely commit-based
+
 ## [0.27.1] - 2026-04-02
 
 ### Fixed

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "happyskills",
-	"version": "0.27.1",
+	"version": "0.27.2",
 	"description": "Package manager for AI agent skills",
 	"license": "SEE LICENSE IN LICENSE",
 	"author": "Nicolas Dao <nic@cloudlesslabs.com> (https://cloudlesslabs.com)",

package/src/commands/publish.js

@@ -229,7 +229,8 @@ const run = (args) => catch_errors('Publish failed', async () => {
 				ref: push_data?.ref || `refs/tags/v${manifest.version}`,
 				commit: push_data?.commit || null,
 				base_commit: push_data?.commit || null,
-				base_integrity: (!hash_err && integrity) ? integrity : null
+				base_integrity: (!hash_err && integrity) ? integrity : null,
+				dependencies: manifest.dependencies || {}
 			}
 			if (!hash_err && integrity) updated_entry.integrity = integrity
 			delete updated_entry.merge_parents

package/src/commands/refresh.js

@@ -1,6 +1,7 @@
 const { error: { catch_errors, wrap_errors: e } } = require('puffy-core')
 const { install } = require('../engine/installer')
 const { read_lock, get_all_locked_skills } = require('../lock/reader')
+const { read_manifest } = require('../manifest/reader')
 const { detect_status } = require('../merge/detector')
 const repos_api = require('../api/repos')
 const { print_help, print_table, print_json, print_info, print_success, print_warn, print_hint, code } = require('../ui/output')
@@ -26,6 +27,16 @@ Examples:
   happyskills refresh -y
   happyskills refresh -g -y --json`
 
+/**
+ * Returns true if the lock entry's dependencies differ from the installed skill.json's dependencies.
+ */
+const has_dependency_drift = (lock_entry, manifest) => {
+	if (!manifest) return false
+	const lock_deps = JSON.stringify(lock_entry.dependencies || {})
+	const manifest_deps = JSON.stringify(manifest.dependencies || {})
+	return lock_deps !== manifest_deps
+}
+
 const confirm_prompt = (question) => new Promise((resolve) => {
 	const readline = require('readline')
 	const rl = readline.createInterface({ input: process.stdin, output: process.stderr })
@@ -72,6 +83,15 @@ const run = (args) => catch_errors('Refresh failed', async () => {
 		}
 	} else {
 		spinner?.succeed('Checked for updates')
+		const base_dir = skills_dir(is_global, project_root)
+		// Read all installed manifests in parallel to check for dependency drift
+		const manifest_map = {}
+		await Promise.all(to_check.map(async ([name]) => {
+			const short_name = name.split('/')[1] || name
+			const dir = skill_install_dir(base_dir, short_name)
+			const [, manifest] = await read_manifest(dir)
+			if (manifest) manifest_map[name] = manifest
+		}))
 		for (const [name, data] of to_check) {
 			const info = batch_data?.results?.[name]
 			if (info?.access_denied) {
@@ -83,6 +103,9 @@ const run = (args) => catch_errors('Refresh failed', async () => {
 			} else if (!data.base_commit && info.latest_version !== data.version) {
 				// Fallback to version comparison for old lock files without base_commit
 				results.push({ skill: name, installed: data.version, latest: info.latest_version, status: 'outdated' })
+			} else if (has_dependency_drift(data, manifest_map[name])) {
+				// Lock dependencies are stale compared to installed skill.json
+				results.push({ skill: name, installed: data.version, latest: info.latest_version, status: 'outdated' })
 			} else {
 				results.push({ skill: name, installed: data.version, latest: info.latest_version, status: 'up-to-date' })
 			}