refactor!: use libnpmpublish#10385
Closed
KSXGitHub wants to merge 76 commits into
Closed
Conversation
4 tasks
3fa405b to
a87c168
Compare
This reverts commit 45f2c6a. We will use type casting
62aff7f to
86ff4dd
Compare
86ff4dd to
20d7a35
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Contributor
There was a problem hiding this comment.
Pull request overview
Refactors pnpm publish to publish packages directly via libnpmpublish (instead of shelling out to the npm CLI), while extending config/manifest tooling to better match npm’s package.json shape and adding new auth/OIDC helpers required for the new publish flow.
Changes:
- Replace
npm publishexecution with an internallibnpmpublish-based implementation (including tarball publishing). - Introduce new auth parsing (
authInfos) + OTP-from-env support + OIDC token exchange for provenance. - Update exportable-manifest output typing/normalization (notably
bin, required fields) to align with@npm/types.
Reviewed changes
Copilot reviewed 44 out of 45 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| releasing/plugin-commands-publishing/tsconfig.json | Switch referenced workspace deps (drop run-npm/auth-header, add fetch). |
| releasing/plugin-commands-publishing/test/utils/index.ts | Extend default test opts with authInfos and sslConfigs. |
| releasing/plugin-commands-publishing/test/removePnpmSpecificOptions.test.ts | Remove tests for now-deleted removePnpmSpecificOptions. |
| releasing/plugin-commands-publishing/test/registryConfigKeys.test.ts | Add unit tests for registry config key derivation/generation. |
| releasing/plugin-commands-publishing/test/recursivePublish.ts | Adjust error expectations for publish failures (now throws). |
| releasing/plugin-commands-publishing/test/publish.ts | Update publish tests for new tarball behavior + skip provenance test. |
| releasing/plugin-commands-publishing/test/optEnv.test.ts | Add tests for merging OTP from PNPM_CONFIG_OTP. |
| releasing/plugin-commands-publishing/test/extractManifestFromPacked.test.ts | Add tests for extracting package/package.json from tarballs. |
| releasing/plugin-commands-publishing/test/executeTokenHelper.test.ts | Add tests for token helper execution and stderr logging. |
| releasing/plugin-commands-publishing/test/FailedToPublishError.test.ts | Add tests for structured publish failure errors. |
| releasing/plugin-commands-publishing/src/registryConfigKeys.ts | Add helpers to derive and enumerate registry .npmrc keys. |
| releasing/plugin-commands-publishing/src/recursivePublish.ts | Extend recursive publish options to include packed-publish option set. |
| releasing/plugin-commands-publishing/src/publishPackedPkg.ts | New libnpmpublish-based publish implementation incl. auth/OIDC/provenance. |
| releasing/plugin-commands-publishing/src/publish.ts | Rework publish command to pack + publish via publishPackedPkg, add --otp. |
| releasing/plugin-commands-publishing/src/pack.ts | Change publishedManifest typing to ExportedManifest. |
| releasing/plugin-commands-publishing/src/otpEnv.ts | Add helper to read OTP from PNPM_CONFIG_OTP when not provided via CLI. |
| releasing/plugin-commands-publishing/src/oidc.ts | Add OIDC flow for provenance token exchange (GitHub/GitLab). |
| releasing/plugin-commands-publishing/src/extractManifestFromPacked.ts | Add tarball manifest extraction + tarball-path detection. |
| releasing/plugin-commands-publishing/src/executeTokenHelper.ts | Add token helper execution implementation (sync). |
| releasing/plugin-commands-publishing/src/FailedToPublishError.ts | Add richer publish error type/constructor with details. |
| releasing/plugin-commands-publishing/package.json | Add new deps (libnpmpublish, normalize-registry-url, ci-info, @pnpm/fetch). |
| pnpm-workspace.yaml | Add catalog entries for @npm/types, libnpmpublish, and typings. |
| pnpm-lock.yaml | Lockfile updates for newly introduced dependencies. |
| pkg-manifest/exportable-manifest/tsconfig.json | Add dependency on @pnpm/package-bins. |
| pkg-manifest/exportable-manifest/test/index.test.ts | Add tests ensuring name/version are required. |
| pkg-manifest/exportable-manifest/test/beforePackingHook.test.ts | Adjust hook test to preserve required fields. |
| pkg-manifest/exportable-manifest/src/transform/requiredFields.ts | New transform enforcing required name/version. |
| pkg-manifest/exportable-manifest/src/transform/peerDependenciesMeta.ts | New transform normalizing peerDependenciesMeta.optional. |
| pkg-manifest/exportable-manifest/src/transform/index.ts | Define ExportedManifest as @npm/types PackageJSON and pipe transforms. |
| pkg-manifest/exportable-manifest/src/transform/engines.ts | New transform mapping engines.runtime into devEngines.runtime. |
| pkg-manifest/exportable-manifest/src/transform/bin.ts | New transform normalizing string bin into an object via package-bins helper. |
| pkg-manifest/exportable-manifest/src/index.ts | Return ExportedManifest and apply transform pipeline before returning. |
| pkg-manifest/exportable-manifest/package.json | Add deps on @npm/types and @pnpm/package-bins. |
| pkg-manager/package-bins/test/normalizeBinObject.test.ts | Add tests for new normalizeBinObject. |
| pkg-manager/package-bins/src/index.ts | Export normalizeBinObject helper for bin normalization. |
| packages/types/src/package.ts | Tighten config typing and annotate workspaces compatibility note. |
| packages/make-dedicated-lockfile/src/index.ts | Cast exportable manifest back to ProjectManifest for writing. |
| cspell.json | Add new terms (libnpmpublish, sigstore, mytoken). |
| config/config/test/parseAuthInfo.test.ts | Add tests for new parseAuthInfo behavior and errors. |
| config/config/test/getNetworkConfigs.test.ts | Add tests for parsing authInfos, ssl, registries from raw config. |
| config/config/src/parseAuthInfo.ts | Add parsing of _authToken, _auth, username/_password, token helpers. |
| config/config/src/index.ts | Plumb authInfos + default auth info into Config from raw config. |
| config/config/src/getNetworkConfigs.ts | Extend parsing to include auth info and add getDefaultAuthInfo. |
| config/config/src/Config.ts | Add authInfos to config and extend Config with default-registry auth fields. |
| .changeset/tangy-pans-pull.md | Changeset documenting the breaking publish refactor and env var change for OTP. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+157
to
+160
| for (const registryConfigKey of allRegistryConfigKeys(initialRegistryConfigKey)) { | ||
| const auth: Pick<Config, AuthConfigKey> | undefined = authInfos[registryConfigKey] | ||
| const ssl: Pick<Config, SslConfigKey> | undefined = sslConfigs[registryConfigKey] | ||
|
|
There was a problem hiding this comment.
findAuthSslInfo indexes authInfos/sslConfigs using registryConfigKey values that always end with / (via longestRegistryConfigKey → ensureSuffix). However rawConfig keys historically appear without the trailing slash as well (e.g. //my-org.registry.example.com:_authToken), and getNetworkConfigs() will currently store those registry keys as-is. This mismatch means auth/SSL settings may not be found, causing publishes to run unauthenticated. Consider normalizing parsed registry keys in getNetworkConfigs (ensure a trailing /), or have findAuthSslInfo attempt both //host/ and //host forms when looking up entries.
Contributor
Author
There was a problem hiding this comment.
I think the registry should be appended trailing / regardless, right? I will test this later.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 44 out of 45 changed files in this pull request and generated 1 comment.
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This was referenced Feb 10, 2026
Contributor
Author
|
Closed in favor of #10591 |
zkochan
pushed a commit
that referenced
this pull request
Feb 12, 2026
* chore(deps): add `libnpmpublish` to catalog * chore(deps): install `libnpmpublish` * feat: publishableManifest (wip) * feat: publishableManifest (wip) * chore(cspell): libnpmpublish * test: fix * feat: validate field and version * chore: @npm/types * chore: todo * refactor: reorganize * feat: transformRequiredFields * chore(deps): patch `libnpmpublish` * fix: `BaseManifest.config` * fix: eslint * chore(git): revert a patch that doesn't work This reverts commit 45f2c6a. We will use type casting * feat: `engines.runtime` * feat: normalize bin * fix: `bin === ''` * test: fix * refactor: inference friendly * feat: `peerDependenciesMeta` * refactor: group into a directory * refactor: use `ramda.pipe` * refactor: less intrusive type assertion * feat!: returning `ExportedManifest` * refactor: remove unnecessary file * docs: add a todo * refactor: getNetworkConfigs (#10458) Some tests are added as a bonus * feat: `publishPackedPkg` (wip) * feat: replace `\t` with 4 spaces * fix: newline * fix: newline * refactor: extract `FailedToPublishError` * test: FailedToPublishError * feat: registryConfigKeys * feat: `publishPackedPkg` (wip) * feat(config/getNetworkConfigs): load auth info * feat(config/getNetworkConfigs): load auth info (#10491) * feat: `publishPackedPkg` (wip) * refactor: extract a `static` function * fix: inheritance, override, and merge * feat: `executeTokenHelper` * fix: use the visible `globalWarn` * feat: add options * feat: add more options * docs: more links * fix: private packages * fix: --dry-run * feat: log more things * fix: name * fix: tag * refactor: remove extraneous `assertPublicPackage` * feat: use `publishPackedPkg` for directories * refactor: require only necessary fields * refactor: extractManifestFromPacked * fix: extractManifestFromPacked * test: extractManifestFromPacked * feat: isTarballPath * feat: use `publishPackedPkg` for tarballs * style: add an empty line for clarity * refactor: remove unnecessary works * feat: --otp * feat: PNPM_CONFIG_OTP * feat: oidc * test: fix name collision * fix: eslint * test: disable a false test * feat: set `provenance` * docs(todo): auto provenance * refactor: run oidc in `createPublishOptions` * fix: correct auth keys for `libnpmpublish` * docs: changeset * fix: incorrect `password` field * fix: typo, grammar * chore(git): resolve merge conflict ahead of time In preparation for #10385 * fix: field name * fix(config): decoding `_password` * fix: edge case of partial `cert`/`key` * fix: ensure `registry` always match its config key * fix: `_password` * test: correct a name * test: more specific assertions * fix: grammar * docs(changeset): fix grammar * docs: fix grammar * fix: clean up after failure * test: fix windows * feat(provenance): auto detect * refactor: consistent name * fix: correct error names * refactor: extract the `provenance` code * feat: show code and body of an error * refactor: use `encodeURIComponent` * refactor: rename a type * refactor: use the try-catch model * refactor: move `normalizeBinObject` * refactor: split `oidc` into `idToken` and `authToken` * refactor: run `next` on `stream`'s `'end'` * fix: use the correct encoding * feat: guard against weird names * test: `transform/engines` Closes #10599 * test: `transformPeerDependenciesMeta` Closes #10600 * refactor: dependency inject the `Date` too * refactor: export an interface * test: oidc Closes #10598 * refactor: re-arrange imports * refactor: remove unnecessary type casts * refactor: improve test
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.