fix(publish): honor publishConfig access#11746
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (1)
📜 Recent review details🧰 Additional context used📓 Path-based instructions (2)**/*.{ts,tsx}📄 CodeRabbit inference engine (AGENTS.md)
Files:
**/*.test.{ts,tsx}📄 CodeRabbit inference engine (AGENTS.md)
Files:
🧠 Learnings (1)📚 Learning: 2026-05-14T09:04:00.133ZApplied to files:
🔇 Additional comments (4)
📝 WalkthroughWalkthroughThis PR adds support for honoring ChangesPublishConfig.access Support
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR updates pnpm’s publish implementation to honor a package’s publishConfig.access when no explicit --access (or config value) is provided, and adds tests/type updates to cover the behavior (fixes #11728).
Changes:
- Derive publish
accessfrommanifest.publishConfig.accessas a fallback whenoptions.accessis unset. - Add publish tests for single-package and recursive publishing to assert
restricted/publicaccess handling. - Extend
PublishConfigtyping with anaccessfield and add a patch changeset.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| releasing/commands/test/publish/utils/index.ts | Adds a helper to fetch published package metadata from the mock registry for assertions. |
| releasing/commands/test/publish/recursivePublish.ts | Adds a recursive publish test asserting per-package publishConfig.access is respected. |
| releasing/commands/test/publish/publish.ts | Adds a single-package publish test for publishConfig.access. |
| releasing/commands/src/publish/publishPackedPkg.ts | Implements the publishConfig.access fallback when constructing libnpmpublish options. |
| core/types/src/package.ts | Adds `access?: 'public' |
| .changeset/publish-config-access.md | Adds a patch changeset documenting the behavior change. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@releasing/commands/test/publish/utils/index.ts`:
- Around line 26-32: In the res.on('end', ...) handler in the function that
fetches package metadata, guard the call to JSON.parse(body) by wrapping it in a
try/catch; if parsing fails, reject the surrounding Promise with a descriptive
Error (including the raw body or parse error message) instead of letting the
exception escape the event callback, otherwise resolve with the parsed object as
before.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: fca7af7f-c167-4d4c-854b-15c166f1ccee
📒 Files selected for processing (6)
.changeset/publish-config-access.mdcore/types/src/package.tsreleasing/commands/src/publish/publishPackedPkg.tsreleasing/commands/test/publish/publish.tsreleasing/commands/test/publish/recursivePublish.tsreleasing/commands/test/publish/utils/index.ts
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: Agent
- GitHub Check: ubuntu-latest / Node.js 24 / Test
🧰 Additional context used
📓 Path-based instructions (1)
**/*.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{ts,tsx}: Follow Standard Style with trailing commas, prefer functions over classes, declare functions after they are used (rely on hoisting), and use a single options object for functions with more than two or three arguments
Sort imports in three groups: standard libraries, external dependencies (alphabetically), then relative imports
Write code that explains itself through clear naming and types — do not write comments that merely restate what the code already says; use comments only for non-obvious reasons, hidden invariants, or workarounds
Files:
core/types/src/package.tsreleasing/commands/test/publish/utils/index.tsreleasing/commands/src/publish/publishPackedPkg.tsreleasing/commands/test/publish/publish.tsreleasing/commands/test/publish/recursivePublish.ts
🧠 Learnings (1)
📚 Learning: 2026-05-14T09:04:00.133Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11622
File: resolving/npm-resolver/test/publishedBy.test.ts:350-354
Timestamp: 2026-05-14T09:04:00.133Z
Learning: In the pnpm/pnpm repository, ESLint is the authoritative style linter. Do not raise review findings for missing trailing commas in multiline function calls (e.g., `fs.writeFileSync(...)`) when this repo’s ESLint configuration does not report them and lint passes. Prefer deferring to the ESLint results for this specific trailing-comma rule rather than enforcing it manually in code review.
Applied to files:
core/types/src/package.tsreleasing/commands/test/publish/utils/index.tsreleasing/commands/src/publish/publishPackedPkg.tsreleasing/commands/test/publish/publish.tsreleasing/commands/test/publish/recursivePublish.ts
🔇 Additional comments (5)
.changeset/publish-config-access.md (1)
1-7: LGTM!core/types/src/package.ts (1)
67-67: LGTM!releasing/commands/src/publish/publishPackedPkg.ts (1)
155-157: LGTM!Also applies to: 223-225
releasing/commands/test/publish/publish.ts (1)
17-17: LGTM!Also applies to: 329-348
releasing/commands/test/publish/recursivePublish.ts (1)
15-15: LGTM!Also applies to: 124-156
|
ci failed. |
f0763a9 to
e979dd4
Compare
Verdaccio strips the top-level `access` field from publish payloads, so the metadata-fetching integration tests could never pass. Replace them with a direct unit test of the access-resolution logic in createPublishOptions. --- Written by an agent (Claude Code, claude-opus-4-7).
|
Congrats on merging your first pull request! 🎉🎉🎉 |
Summary
publishConfig.accessas a fallback when publishing with no explicit--access/config value.restricted/publicaccess.accessto thePublishConfigtype and a patch changeset.Fixes #11728.
Tests
pnpm --filter @pnpm/releasing.commands compilepnpm --filter @pnpm/types compiletsgo --build workspace/workspace-manifest-reader workspace/projects-reader && pnx node@runtime:24.6.0 __utils__/scripts/src/typecheck-only.ts && pn -F=pnpm compile && pn spellcheck && pn lint:meta && pn lint:ts --quietNote: focused Jest publish runs currently fail before executing any test with
module is already linked, including existing tests such aspublish: package with package.json. The registry global setup works standalone.Written by an agent (OpenCode, gpt-5.5), reviewed by me.
Summary by CodeRabbit
New Features
publishConfig.accessconfiguration in package manifests to control package visibility ('public' or 'restricted')--accessflag can override manifest settingsTests