Skip to content

fix(publish): honor publishConfig access#11746

Merged
zkochan merged 4 commits into
pnpm:mainfrom
beaussan:fix-pnpm-publish-config
May 19, 2026
Merged

fix(publish): honor publishConfig access#11746
zkochan merged 4 commits into
pnpm:mainfrom
beaussan:fix-pnpm-publish-config

Conversation

@beaussan

@beaussan beaussan commented May 19, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Honor per-package publishConfig.access as a fallback when publishing with no explicit --access/config value.
  • Add publish tests for single-package and recursive publishes to verify registry metadata receives restricted/public access.
  • Add access to the PublishConfig type and a patch changeset.

Fixes #11728.

Tests

  • pnpm --filter @pnpm/releasing.commands compile
  • pnpm --filter @pnpm/types compile
  • Pre-push hook: tsgo --build workspace/workspace-manifest-reader workspace/projects-reader && pnx node@runtime:24.6.0 __utils__/scripts/src/typecheck-only.ts && pn -F=pnpm compile && pn spellcheck && pn lint:meta && pn lint:ts --quiet

Note: focused Jest publish runs currently fail before executing any test with module is already linked, including existing tests such as publish: package with package.json. The registry global setup works standalone.


Written by an agent (OpenCode, gpt-5.5), reviewed by me.

Summary by CodeRabbit

  • New Features

    • Publishing now respects publishConfig.access configuration in package manifests to control package visibility ('public' or 'restricted')
    • CLI --access flag can override manifest settings
  • Tests

    • Added test coverage for publish access configuration behavior

Review Change Stack

@coderabbitai

coderabbitai Bot commented May 19, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 20e30b8b-b588-4d20-9c7f-d78ac4167f2b

📥 Commits

Reviewing files that changed from the base of the PR and between e979dd4 and 8688d87.

📒 Files selected for processing (2)
  • releasing/commands/src/publish/publishPackedPkg.ts
  • releasing/commands/test/publish/publishConfigAccess.test.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • releasing/commands/src/publish/publishPackedPkg.ts
📜 Recent review details
🧰 Additional context used
📓 Path-based instructions (2)
**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Follow Standard Style with trailing commas, prefer functions over classes, declare functions after they are used (rely on hoisting), and use a single options object for functions with more than two or three arguments
Sort imports in three groups: standard libraries, external dependencies (alphabetically), then relative imports
Write code that explains itself through clear naming and types — do not write comments that merely restate what the code already says; use comments only for non-obvious reasons, hidden invariants, or workarounds

Files:

  • releasing/commands/test/publish/publishConfigAccess.test.ts
**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use util.types.isNativeError() instead of instanceof Error when type-checking errors in Jest tests, as instanceof checks can fail across VM realms

Files:

  • releasing/commands/test/publish/publishConfigAccess.test.ts
🧠 Learnings (1)
📚 Learning: 2026-05-14T09:04:00.133Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11622
File: resolving/npm-resolver/test/publishedBy.test.ts:350-354
Timestamp: 2026-05-14T09:04:00.133Z
Learning: In the pnpm/pnpm repository, ESLint is the authoritative style linter. Do not raise review findings for missing trailing commas in multiline function calls (e.g., `fs.writeFileSync(...)`) when this repo’s ESLint configuration does not report them and lint passes. Prefer deferring to the ESLint results for this specific trailing-comma rule rather than enforcing it manually in code review.

Applied to files:

  • releasing/commands/test/publish/publishConfigAccess.test.ts
🔇 Additional comments (4)
releasing/commands/test/publish/publishConfigAccess.test.ts (4)

15-21: LGTM!


26-33: LGTM!


35-67: LGTM!


7-11: The use of jest.unstable_mockModule is the officially recommended approach for mocking ESM modules in Jest. While the API remains labeled as experimental, there is no stable alternative available, and the pattern used here—registering the mock before dynamically importing the module—correctly follows Jest's documented ESM mocking approach.


📝 Walkthrough

Walkthrough

This PR adds support for honoring publishConfig.access in package.json during publishing. It extends the PublishConfig type with an optional access field, updates createPublishOptions to derive access from CLI options or manifest fallback with validation, introduces a type guard to ensure only valid values are used, includes unit tests verifying the access resolution logic, and documents the change via Changeset.

Changes

PublishConfig.access Support

Layer / File(s) Summary
PublishConfig type extension
core/types/src/package.ts
PublishConfig interface adds optional access?: 'public' | 'restricted' field.
Publish access derivation logic
releasing/commands/src/publish/publishPackedPkg.ts
createPublishOptions prefers options.access; otherwise validates and uses manifest.publishConfig?.access if present. New type guard isPublishAccess restricts values to allowed access modes.
Access resolution unit tests
releasing/commands/test/publish/publishConfigAccess.test.ts
Jest suite validates four scenarios: manifest access used as fallback, CLI access overrides manifest, invalid manifest values ignored, and access omitted when neither source provides valid value. Test setup mocks ci-info and clears NPM_ID_TOKEN to isolate behavior.
Release notes
.changeset/publish-config-access.md
Documents patch version bumps for @pnpm/releasing.commands, @pnpm/types, and pnpm.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

  • zkochan

Poem

🐰 A package speaks its nature true,
With publishConfig.access in view—
Restricted or public, the manifest knows,
While CLI arguments still take their bows!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'fix(publish): honor publishConfig access' accurately describes the main change, which is implementing support for reading the access field from publishConfig in package.json during publishing.
Linked Issues check ✅ Passed The code changes fully implement the requirements from issue #11728: the PublishConfig type was extended with an access field, createPublishOptions now reads manifest.publishConfig.access with proper fallback logic, and comprehensive tests verify all specified behaviors.
Out of Scope Changes check ✅ Passed All changes are directly scoped to implementing the publishConfig.access feature: type definition updates, publishing logic fallback implementation, comprehensive tests, and a changeset entry documenting the fix.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@beaussan beaussan marked this pull request as ready for review May 19, 2026 13:18
@beaussan beaussan requested a review from zkochan as a code owner May 19, 2026 13:18
Copilot AI review requested due to automatic review settings May 19, 2026 13:18

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates pnpm’s publish implementation to honor a package’s publishConfig.access when no explicit --access (or config value) is provided, and adds tests/type updates to cover the behavior (fixes #11728).

Changes:

  • Derive publish access from manifest.publishConfig.access as a fallback when options.access is unset.
  • Add publish tests for single-package and recursive publishing to assert restricted/public access handling.
  • Extend PublishConfig typing with an access field and add a patch changeset.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
releasing/commands/test/publish/utils/index.ts Adds a helper to fetch published package metadata from the mock registry for assertions.
releasing/commands/test/publish/recursivePublish.ts Adds a recursive publish test asserting per-package publishConfig.access is respected.
releasing/commands/test/publish/publish.ts Adds a single-package publish test for publishConfig.access.
releasing/commands/src/publish/publishPackedPkg.ts Implements the publishConfig.access fallback when constructing libnpmpublish options.
core/types/src/package.ts Adds `access?: 'public'
.changeset/publish-config-access.md Adds a patch changeset documenting the behavior change.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread releasing/commands/test/publish/utils/index.ts Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@releasing/commands/test/publish/utils/index.ts`:
- Around line 26-32: In the res.on('end', ...) handler in the function that
fetches package metadata, guard the call to JSON.parse(body) by wrapping it in a
try/catch; if parsing fails, reject the surrounding Promise with a descriptive
Error (including the raw body or parse error message) instead of letting the
exception escape the event callback, otherwise resolve with the parsed object as
before.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: fca7af7f-c167-4d4c-854b-15c166f1ccee

📥 Commits

Reviewing files that changed from the base of the PR and between 9a8675d and 8fa025e.

📒 Files selected for processing (6)
  • .changeset/publish-config-access.md
  • core/types/src/package.ts
  • releasing/commands/src/publish/publishPackedPkg.ts
  • releasing/commands/test/publish/publish.ts
  • releasing/commands/test/publish/recursivePublish.ts
  • releasing/commands/test/publish/utils/index.ts
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Agent
  • GitHub Check: ubuntu-latest / Node.js 24 / Test
🧰 Additional context used
📓 Path-based instructions (1)
**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Follow Standard Style with trailing commas, prefer functions over classes, declare functions after they are used (rely on hoisting), and use a single options object for functions with more than two or three arguments
Sort imports in three groups: standard libraries, external dependencies (alphabetically), then relative imports
Write code that explains itself through clear naming and types — do not write comments that merely restate what the code already says; use comments only for non-obvious reasons, hidden invariants, or workarounds

Files:

  • core/types/src/package.ts
  • releasing/commands/test/publish/utils/index.ts
  • releasing/commands/src/publish/publishPackedPkg.ts
  • releasing/commands/test/publish/publish.ts
  • releasing/commands/test/publish/recursivePublish.ts
🧠 Learnings (1)
📚 Learning: 2026-05-14T09:04:00.133Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11622
File: resolving/npm-resolver/test/publishedBy.test.ts:350-354
Timestamp: 2026-05-14T09:04:00.133Z
Learning: In the pnpm/pnpm repository, ESLint is the authoritative style linter. Do not raise review findings for missing trailing commas in multiline function calls (e.g., `fs.writeFileSync(...)`) when this repo’s ESLint configuration does not report them and lint passes. Prefer deferring to the ESLint results for this specific trailing-comma rule rather than enforcing it manually in code review.

Applied to files:

  • core/types/src/package.ts
  • releasing/commands/test/publish/utils/index.ts
  • releasing/commands/src/publish/publishPackedPkg.ts
  • releasing/commands/test/publish/publish.ts
  • releasing/commands/test/publish/recursivePublish.ts
🔇 Additional comments (5)
.changeset/publish-config-access.md (1)

1-7: LGTM!

core/types/src/package.ts (1)

67-67: LGTM!

releasing/commands/src/publish/publishPackedPkg.ts (1)

155-157: LGTM!

Also applies to: 223-225

releasing/commands/test/publish/publish.ts (1)

17-17: LGTM!

Also applies to: 329-348

releasing/commands/test/publish/recursivePublish.ts (1)

15-15: LGTM!

Also applies to: 124-156

Comment thread releasing/commands/test/publish/utils/index.ts Outdated
@zkochan

zkochan commented May 19, 2026

Copy link
Copy Markdown
Member

ci failed.

Copilot AI review requested due to automatic review settings May 19, 2026 17:53
@zkochan zkochan force-pushed the fix-pnpm-publish-config branch from f0763a9 to e979dd4 Compare May 19, 2026 17:53
@coderabbitai coderabbitai Bot added the area: supply chain security Issues related to minimumReleaseAge, blockExoticSubdeps, build script safety, and trust policies. label May 19, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Comment thread releasing/commands/test/publish/utils/index.ts Outdated
Verdaccio strips the top-level `access` field from publish payloads, so the
metadata-fetching integration tests could never pass. Replace them with a
direct unit test of the access-resolution logic in createPublishOptions.

---
Written by an agent (Claude Code, claude-opus-4-7).
@zkochan zkochan merged commit 64afc92 into pnpm:main May 19, 2026
9 of 10 checks passed
@welcome

welcome Bot commented May 19, 2026

Copy link
Copy Markdown

Congrats on merging your first pull request! 🎉🎉🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: supply chain security Issues related to minimumReleaseAge, blockExoticSubdeps, build script safety, and trust policies.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

publishConfig.access in package.json is ignored by pnpm publish

3 participants