Summary
During the rc window, a plain npm install cannot reach the release candidate — and stash init installs runtime packages unpinned, so it actively delivers broken or stale versions:
| package |
latest resolves to |
actual rc |
@cipherstash/stack |
0.19.0 (stale) |
1.0.0-rc.1 |
@cipherstash/stack-drizzle |
0.0.0 (placeholder — only real versions are 1.0.0-rc.0/rc.1) |
1.0.0-rc.1 |
@cipherstash/stack-supabase |
0.0.0 (placeholder) |
1.0.0-rc.1 |
@cipherstash/prisma-next |
0.3.2 (incompatible with @prisma-next/*@0.14) |
0.4.0-rc.1 |
Impact (observed in the 2026-07-16 skilltester eval, all 5 surfaces)
stack-drizzle@0.0.0 is an empty placeholder — /v3 imports fail (missing adapter-kit export).
stack@0.19.0 (protect-ffi ≤0.28) still throws EQL_V3_QUERY_UNSUPPORTED for v3 scalar/match/ORE encryptQuery. rc.1 fixed this — but two of five eval surfaces (hono-pg, next-drizzle) silently ended up on 0.19.0 via the dist-tag and were product-forced to fall back to EQL v2, concluding "v3 search doesn't work". The v2/v3 divergence in that eval traces entirely to this issue.
- The bundled skills also instruct unpinned
npm install @cipherstash/stack..., compounding it.
Fix
- At GA, advance
latest for all @cipherstash/* packages together.
npm deprecate (or unpublish) the 0.0.0 placeholders so nothing can resolve them.
stash init should pin the exact versions it installs (matched to its own release), not rely on dist-tags.
- Skills/docs install commands should carry an explicit version during pre-release windows.
Evidence: cipherstash/skilltester branch 20260716-01-claude, docs/evals/2026-07-16-rc1-full-run-report.md (finding 1) and docs/evals/vite-drizzle/2026-07-16-bug-init-installs-unpinned-mismatched-versions.md.
Summary
During the rc window, a plain
npm installcannot reach the release candidate — andstash initinstalls runtime packages unpinned, so it actively delivers broken or stale versions:latestresolves to@cipherstash/stack@cipherstash/stack-drizzle@cipherstash/stack-supabase@cipherstash/prisma-next@prisma-next/*@0.14)Impact (observed in the 2026-07-16 skilltester eval, all 5 surfaces)
stack-drizzle@0.0.0is an empty placeholder —/v3imports fail (missingadapter-kitexport).stack@0.19.0(protect-ffi ≤0.28) still throwsEQL_V3_QUERY_UNSUPPORTEDfor v3 scalar/match/OREencryptQuery. rc.1 fixed this — but two of five eval surfaces (hono-pg, next-drizzle) silently ended up on 0.19.0 via the dist-tag and were product-forced to fall back to EQL v2, concluding "v3 search doesn't work". The v2/v3 divergence in that eval traces entirely to this issue.npm install @cipherstash/stack..., compounding it.Fix
latestfor all@cipherstash/*packages together.npm deprecate(or unpublish) the0.0.0placeholders so nothing can resolve them.stash initshould pin the exact versions it installs (matched to its own release), not rely on dist-tags.Evidence: cipherstash/skilltester branch
20260716-01-claude,docs/evals/2026-07-16-rc1-full-run-report.md(finding 1) anddocs/evals/vite-drizzle/2026-07-16-bug-init-installs-unpinned-mismatched-versions.md.