fix: publish web-auth honors proxy when polling doneUrl

[zkochan]

Summary

• pnpm publish failed to complete the web-based authentication flow when an HTTP/HTTPS proxy was configured. libnpmpublish (used for the initial publish request) routes through the proxy, but the subsequent doneUrl polling went through @pnpm/network.fetch without forwarding any proxy/TLS settings. The registry rejected the poll with 403 because the source IP differed from the initial request, so publish hung on the QR-code prompt forever.
• Adds createDispatchedFetch(opts) to @pnpm/network.fetch — a curried fetchWithDispatcher that pre-binds proxy / TLS / local-address / configByUri-derived client certificates. publishPackedPkg uses it to build an OtpContext whose fetch honors the same network configuration as the publish request.
• extractTlsConfigs is now performed automatically inside createDispatchedFetch (and hoisted out of the per-request loop in createFetchFromRegistry), so callers only have to pass configByUri once.

Fixes #11561.

Test plan

• Unit test added (releasing/commands/test/publish/createPublishContext.test.ts) — asserts that the publish-side helper forwards httpProxy / httpsProxy / noProxy / localAddress / strictSsl / ca / cert / key / configByUri to createDispatchedFetch, that fetchTimeout is translated to timeout, and that the resulting context.fetch is the dispatched fetch.
• Unit test added (network/fetch/test/fetchFromRegistry.test.ts) — covers the new createDispatchedFetch helper end-to-end against a MockAgent.
• Existing publish OTP/web-auth tests still pass (releasing/commands/test/publish/otp.test.ts, 14 tests).
• Full publish-tests suite passes (168 tests, 4 pre-existing skips).
• @pnpm/network.fetch test suite passes (37 tests).
• pnpm run lint clean (only pre-existing jest/no-disabled-tests warnings).
• Manual verification behind a real HTTPS proxy — left for a maintainer with proxy access; the fix is purely additive plumbing.

---

Written by an agent (Claude Code, claude-opus-4-7).

Summary by CodeRabbit

• New Features

  • Publish flow now accepts proxy/TLS-related options so the publish and its web-auth polling use the same network configuration.

• Bug Fixes

  • Fixed web-based authentication polling to respect HTTP/HTTPS proxy and no-proxy settings, preventing stalled authentication.

• Documentation

  • Clarified that callers must provide a fetch implementation honoring network (proxy/TLS) configuration.

• Tests

  • Added tests covering dispatcher-aware fetch and publish context network behavior.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 014a8944-bc0f-4cac-b667-483d00b9dca5

📥 Commits

Reviewing files that changed from the base of the PR and between 18a6d96 and de7738a.

📒 Files selected for processing (2)

• releasing/commands/src/publish/publishPackedPkg.ts
• releasing/commands/test/publish/createPublishContext.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• releasing/commands/src/publish/publishPackedPkg.ts

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Compile & Lint

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{js,ts,tsx,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{js,ts,tsx,jsx}: Use trailing commas in code following Standard Style with modifications
Prefer functions over classes
Declare functions after they are used, relying on hoisting
Functions should have no more than two or three arguments; use a single options object for functions needing more parameters
Organize imports in order: standard libraries, external dependencies (sorted alphabetically), then relative imports

Files:

• releasing/commands/test/publish/createPublishContext.test.ts

**/*.test.{js,ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Do not use instanceof Error for error type checking in Jest tests; use util.types.isNativeError() instead to ensure compatibility across realms

Files:

• releasing/commands/test/publish/createPublishContext.test.ts

🔇 Additional comments (1)

releasing/commands/test/publish/createPublishContext.test.ts (1)

23-69: Coverage looks solid for the publish dispatcher wiring.

These cases hit the critical forwarding paths (proxy/TLS/localAddress, fetchTimeout -> timeout, configByUri) and also verify context.fetch delegation behavior.

---

📝 Walkthrough

Walkthrough

This PR fixes web-based OTP authentication polling in pnpm publish to respect proxy and TLS settings by adding createDispatchedFetch and passing dispatcher-aware fetch and network options through publish and OTP polling.

Changes

Proxy-aware OTP polling

Layer / File(s)	Summary
Build dispatcher-aware fetch utilities network/fetch/src/fetchFromRegistry.ts	Added CreateDispatchedFetchOptions and createDispatchedFetch; compute TLS client certificates once and reuse in createFetchFromRegistry.
Export dispatcher utilities network/fetch/src/index.ts	Re-export createDispatchedFetch and CreateDispatchedFetchOptions.
Extend publish options and imports releasing/commands/src/publish/publishPackedPkg.ts	Import createDispatchedFetch, add OtpContext/SHARED_CONTEXT imports, and extend PublishPackedPkgOptions with ca, cert, httpProxy, httpsProxy, key, localAddress, noProxy, strictSsl.
Wire dispatcher options through publish releasing/commands/src/publish/publishPackedPkg.ts	publishPackedPkg now uses createPublishContext to build an OtpContext whose fetch is created by createDispatchedFetch with proxy/TLS/timeout, so publish and doneUrl polling share network config.
Document dispatcher fetch requirement releasing/commands/src/publish/otp.ts	Expanded JSDoc to require callers supply an OtpContext.fetch honoring network configuration (proxy/TLS) for web-auth polling.
Test createDispatchedFetch behavior network/fetch/test/fetchFromRegistry.test.ts	Added test that createDispatchedFetch({}) returns a fetch that hits MockAgent intercept and returns expected response.
Tests for createPublishContext releasing/commands/test/publish/createPublishContext.test.ts	Added tests mocking createDispatchedFetch to assert forwarding of proxy/TLS/timeout/configByUri and delegation of fetch.
Release and changelog .changeset/fix-11561-publish-web-auth-proxy.md	Bumps @pnpm/releasing.commands and pnpm to patch; documents that web-auth polling now honors HTTP/HTTPS proxy env variables (#11561).

Sequence Diagram(s)

sequenceDiagram
  participant CLI as publishPackedPkg
  participant CreateDisp as createDispatchedFetch
  participant OtpHandler as publishWithOtpHandling
  participant Registry as registry(doneUrl)

  CLI->>CreateDisp: provide proxy/TLS/localAddress/timeout/options
  CreateDisp-->>CLI: dispatcher-bound fetch function
  CLI->>OtpHandler: call publishWithOtpHandling with OtpContext.fetch (dispatcher-bound)
  OtpHandler->>Registry: poll doneUrl using OtpContext.fetch (proxy/TLS honored)
  Registry-->>OtpHandler: auth status (success/failure)
  OtpHandler-->>CLI: publish result

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• pnpm/pnpm#11478: Modifies releasing/commands/src/publish/publishPackedPkg.ts, which may interact with the publish API and options shape changed here.

Poem

🐰 I hopped through proxy hedges wide,

to fetch the token on the tide.
A dispatcher-bound path kept the route the same,
No more stray IPs — the doneUrl knows my name. 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 30.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: publish web-auth honors proxy when polling doneUrl' accurately describes the main change: ensuring that web authentication polling respects proxy settings.
Linked Issues check	✅ Passed	All coding requirements from issue #11561 are met: proxy settings forwarding to doneUrl polling, TLS configuration support, proper network configuration routing, and comprehensive test coverage.
Out of Scope Changes check	✅ Passed	All changes directly address the linked issue: extracting TLS configs, creating dispatcher-aware fetch, adding proxy/TLS options to PublishPackedPkgOptions, and wiring these through the publish flow.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/11561

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Fixes pnpm publish hanging during the web-based OTP flow when a proxy is configured by ensuring the registry doneUrl polling request uses the same proxy/TLS/local-address settings as the initial publish request.

Changes:

• Plumbs publish network settings into doneUrl polling via @pnpm/network.fetch’s fetchWithDispatcher.
• Exports extractTlsConfigs from @pnpm/network.fetch to reuse existing TLS config extraction logic.
• Adds a unit test asserting doneUrl polling is routed through fetchWithDispatcher when dispatcher options are provided.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
releasing/commands/test/publish/otp-proxy.test.ts	Adds a unit test that mocks fetchWithDispatcher and asserts proxy-aware polling is used.
releasing/commands/src/publish/publishPackedPkg.ts	Builds DispatcherOptions from publish/config options and passes them into OTP handling.
releasing/commands/src/publish/otp.ts	Wraps the web-auth polling fetch to use fetchWithDispatcher when dispatcher options are supplied.
network/fetch/src/index.ts	Re-exports extractTlsConfigs from the package entrypoint.
network/fetch/src/fetchFromRegistry.ts	Promotes extractTlsConfigs from file-private to exported API.
.changeset/fix-11561-publish-web-auth-proxy.md	Adds a changeset describing the publish proxy fix (but currently missing @pnpm/network.fetch bump).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.