release: fail on pre-existing npm package versions#283
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the npm release flow by making real publishes fail closed when a target package@version already exists on the registry, preventing the release process from implicitly trusting any pre-published artifact.
Changes:
- Replace the previous “publish or skip if already published” flow with
publishPackage(...)and use it for both platform and wrapper package publishing. - Change the behavior on “version exists” from “log + return” to a hard failure via
fail(...). - Update the publish script tests to assert the new fail-closed behavior and remove the prior “Skipping … already published” expectations.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| scripts/publish-npm.mjs | Switches to fail-closed behavior when an npm version already exists, and renames the publishing helper to publishPackage. |
| scripts/publish-npm-test.mjs | Updates assertions to reflect the new publishPackage helper and refusal/fail-closed behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+90
to
93
| function publishPackage(packageName, version, dryRun, cwd) { | ||
| if (!dryRun && packageVersionPublished(packageName, version)) { | ||
| console.log(`Skipping ${packageName}@${version}: already published to npm.`); | ||
| return; | ||
| fail(`${packageName}@${version} is already published to npm. Refusing to publish wrappers that could trust an unverified pre-existing artifact.`); | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
npm view <pkg>@<version>indicated a version existed, which silently trusts any pre-published artifact and can allow a malicious or stale package to be accepted into a release.Description
publishOrSkiptopublishPackageand make the main publish path callpublishPackagefor both platform and wrapper packages inscripts/publish-npm.mjs.publishPackageto callpackageVersionPublished(...)and callfail(...)when a package version is already present instead of logging and returning, preventing the release from trusting unverified existing artifacts.scripts/publish-npm-test.mjsto assert the new fail-closed behavior (look forfunction publishPackage(and the refusal message) and to remove expectations about the previous "Skipping ... already published" behavior.Testing
node --test scripts/publish-npm-test.mjsand all tests passed (40 tests, 0 failures).git diff --checkand it reported no whitespace or diff errors.Codex Task