Skip to content

release: fail on pre-existing npm package versions#283

Merged
BunsDev merged 2 commits into
mainfrom
codex/propose-fix-for-npm-publish-vulnerability
Jul 1, 2026
Merged

release: fail on pre-existing npm package versions#283
BunsDev merged 2 commits into
mainfrom
codex/propose-fix-for-npm-publish-vulnerability

Conversation

@BunsDev

@BunsDev BunsDev commented Jun 30, 2026

Copy link
Copy Markdown
Member

Motivation

  • The release script previously skipped publishing when npm view <pkg>@<version> indicated a version existed, which silently trusts any pre-published artifact and can allow a malicious or stale package to be accepted into a release.
  • The intent is to make publishes fail closed for real (non-dry-run) publishes so an unexpected existing registry version blocks the release and forces human review.

Description

  • Replace the skip-on-existing flow by renaming publishOrSkip to publishPackage and make the main publish path call publishPackage for both platform and wrapper packages in scripts/publish-npm.mjs.
  • Change publishPackage to call packageVersionPublished(...) and call fail(...) when a package version is already present instead of logging and returning, preventing the release from trusting unverified existing artifacts.
  • Update scripts/publish-npm-test.mjs to assert the new fail-closed behavior (look for function publishPackage( and the refusal message) and to remove expectations about the previous "Skipping ... already published" behavior.

Testing

  • Ran node --test scripts/publish-npm-test.mjs and all tests passed (40 tests, 0 failures).
  • Ran git diff --check and it reported no whitespace or diff errors.

Codex Task

Copilot AI review requested due to automatic review settings June 30, 2026 19:43

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the npm release flow by making real publishes fail closed when a target package@version already exists on the registry, preventing the release process from implicitly trusting any pre-published artifact.

Changes:

  • Replace the previous “publish or skip if already published” flow with publishPackage(...) and use it for both platform and wrapper package publishing.
  • Change the behavior on “version exists” from “log + return” to a hard failure via fail(...).
  • Update the publish script tests to assert the new fail-closed behavior and remove the prior “Skipping … already published” expectations.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
scripts/publish-npm.mjs Switches to fail-closed behavior when an npm version already exists, and renames the publishing helper to publishPackage.
scripts/publish-npm-test.mjs Updates assertions to reflect the new publishPackage helper and refusal/fail-closed behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread scripts/publish-npm.mjs
Comment on lines +90 to 93
function publishPackage(packageName, version, dryRun, cwd) {
if (!dryRun && packageVersionPublished(packageName, version)) {
console.log(`Skipping ${packageName}@${version}: already published to npm.`);
return;
fail(`${packageName}@${version} is already published to npm. Refusing to publish wrappers that could trust an unverified pre-existing artifact.`);
}
@BunsDev BunsDev merged commit d66004c into main Jul 1, 2026
14 checks passed
@BunsDev BunsDev deleted the codex/propose-fix-for-npm-publish-vulnerability branch July 1, 2026 06:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants