fix(publish): strip semver build metadata before packing

[zkochan]

Summary

• Fixes #11518: pnpm publish --provenance was rejected by the registry with 422 Unprocessable Entity — Error verifying sigstore provenance bundle: Failed to validate the provenance subject against the package name, version and tarball integrity whenever the package version contained semver build metadata (e.g. 1.0.0-canary.0+abc1234).
• Root cause: libnpmpublish.publish() runs semver.clean() on manifest.version before computing the provenance subject, and semver.clean() strips the +<build> segment. pnpm was packing the tarball with the original version, so the version embedded in the packed package.json no longer matched the version in the metadata payload / sigstore subject, and the registry rejected the publish. (npm's CLI dodges this because it normalizes the manifest before packing.)
• Fix: strip semver build metadata in pack.ts after createPublishManifest, then derive both the tarball filename and the packed package.json from the cleaned version, so the tarball, the metadata, and the provenance subject all agree.

Test plan

• New unit test (pack: strips semver build metadata from the version) verifies the tarball filename and the packed package.json use the cleaned version.
• All 32 tests in releasing/commands/test/publish/pack.ts pass.
• Manual verification on a real publish flow with --provenance is left to a maintainer who can exercise OIDC / a real registry.

---

Written by an agent (Claude Code, claude-opus-4-7).

Summary by CodeRabbit

• Bug Fixes
  • Fixed publishing failures when package versions contain semver build metadata (e.g., 1.0.0+build). Build metadata is now automatically stripped during publishing to ensure consistent version handling across tarballs and registry submissions.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 70d50abf-03b2-4bf8-ae90-2ba2b1190fa9

📥 Commits

Reviewing files that changed from the base of the PR and between 24f3669 and 4ab7d27.

📒 Files selected for processing (3)

• .changeset/publish-strip-build-metadata.md
• releasing/commands/src/publish/pack.ts
• releasing/commands/test/publish/pack.ts

---

📝 Walkthrough

Walkthrough

The pull request fixes pnpm publish --provenance failures caused by npm 422 errors when package versions contain semver build metadata. It introduces a stripBuildMetadata() utility and modifies the pack API to normalize versions by removing the +<build> suffix before tarball creation, ensuring the tarball filename, embedded manifest, and sigstore provenance remain synchronized.

Changes

Build Metadata Normalization

Layer / File(s)	Summary
Build Metadata Utility releasing/commands/src/publish/pack.ts	New stripBuildMetadata(version) helper removes the +<build> suffix from semver version strings.
Pack API Version Normalization releasing/commands/src/publish/pack.ts	api() constructs publishManifest early, strips build metadata from its version, and uses the normalized version for tarball naming and --out path substitution instead of the original manifest version.
Test Coverage releasing/commands/test/publish/pack.ts	New test case verifies that build metadata is stripped from the tarball filename and from the version in the extracted package.json within the tarball.
Release Documentation .changeset/publish-strip-build-metadata.md	Changeset entry documents the patch fix for pnpm publish --provenance with versions containing semver build metadata.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• pnpm/pnpm#11478: Related modification to releasing/commands/src/publish/pack.ts's api() function and PackResult handling.

Poem

A rabbit hops through semver's tangled vine,
Where +build metadata caused registry pain,
With a simple snip—a helper so fine—
Tarball and provenance now align,
No more 422 in the npm domain! 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: stripping semver build metadata before packing to fix the registry 422 error.
Linked Issues check	✅ Passed	The code changes directly address issue #11518 by implementing the fix to strip build metadata from versions before packing, ensuring tarball and provenance metadata consistency.
Out of Scope Changes check	✅ Passed	All changes are directly related to the stated objective: stripping build metadata in pack.ts, adding helper function, updating tests, and creating changeset documentation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/11518

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR fixes pnpm publish --provenance failures when the package version contains SemVer build metadata (+...) by ensuring the packed tarball and packed package.json use the same normalized version that libnpmpublish uses when computing provenance-related metadata.

Changes:

• Strip SemVer build metadata (+<build>) from the publish manifest version during packing and use the stripped version for tarball naming / --out %v expansion.
• Add a unit test asserting both the tarball filename and the packed package.json version exclude build metadata.
• Add a changeset bump documenting the fix.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
releasing/commands/src/publish/pack.ts	Normalizes the packed/published version by stripping build metadata and uses it consistently for tarball naming and packed manifest contents.
releasing/commands/test/publish/pack.ts	Adds coverage to confirm build metadata is removed from the tarball filename and packed package.json.
.changeset/publish-strip-build-metadata.md	Documents the patch-level fix for provenance publishing with build metadata versions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.