Last pnpm version that worked
10.33.3
pnpm version
11.0.0 and 11.0.8
Code to reproduce the issue
package.json
{
"name": "pnpm-provenance-repro",
"version": "1.0.0",
"description": "Repro for pnpm publish --provenance failing with build metadata",
"packageManager": "pnpm@11.0.0"
}.github/workflows/publish.yml
name: provenance repro
on:
workflow_dispatch:
push:
branches: [main]
permissions:
contents: read
id-token: write
jobs:
publish:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 24
- uses: pnpm/action-setup@v5
- name: Bump to canary version with build metadata
run: |
BASE=$(jq -r .version package.json)
TS=$(date -u +%Y%m%d%H%M%S)
SHA=$(git rev-parse --short HEAD)
pnpm version --no-git-tag-version "${BASE}-canary.${TS}+${SHA}"
cat package.json
- name: Publish (with provenance)
run: pnpm publish --no-git-checks --provenance --access publicConfigure a trusted publisher on the package on npmjs.com (repo + workflow filename). Push to main.
A/B verification: change the bump line to use . instead of +:
pnpm version --no-git-tag-version "${BASE}-canary.${TS}.${SHA}"
Expected behavior
pnpm publish --provenance should produce a sigstore bundle that npm accepts, regardless of whether the version contains a +<buildmeta> segment. Versions like 1.2.3-canary.0+abc1234 are valid semver.
Actual behavior
npm rejects the publish with:
📦 pnpm-provenance-repro@0.0.1-canary.20260507102941+f2a94758bf → https://registry.npmjs.org/
E422 422 Unprocessable Entity - PUT https://registry.npmjs.org/pnpm-provenance-repro - Error verifying sigstore provenance bundle: Failed to validate the provenance subject against the package name, version and tarball integrity. Please try re-publishing with the latest stable version of npm
Additional information
Likely related to the move to a native publish flow in 11.0.0, and possibly a bug in libnpmpublish itself.
Node.js version
v24.14.1
Operating System
Linux
Last pnpm version that worked
10.33.3
pnpm version
11.0.0 and 11.0.8
Code to reproduce the issue
package.json
{ "name": "pnpm-provenance-repro", "version": "1.0.0", "description": "Repro for pnpm publish --provenance failing with build metadata", "packageManager": "pnpm@11.0.0" }.github/workflows/publish.yml
Configure a trusted publisher on the package on npmjs.com (repo + workflow filename). Push to
main.A/B verification: change the bump line to use
.instead of+:Expected behavior
pnpm publish --provenanceshould produce a sigstore bundle that npm accepts, regardless of whether the version contains a+<buildmeta>segment. Versions like1.2.3-canary.0+abc1234are valid semver.Actual behavior
npm rejects the publish with:
Additional information
Likely related to the move to a native publish flow in 11.0.0, and possibly a bug in libnpmpublish itself.
Node.js version
v24.14.1
Operating System
Linux