fix(npm): prefer scoped package and harden publish#91
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Hardens the npm publish workflow to prevent silently skipping publication of the unscoped coven-code alias when a matching version already exists on npm but may not be the official package, and updates docs/messaging to prefer the scoped package.
Changes:
- Add a workflow helper that compares local vs remote package tarball contents before skipping the unscoped alias publish.
- Prefer
@opencoven/coven-codein README and installation docs (including npx/bunx examples). - Update the CLI wrapper error message to recommend reinstalling the scoped package.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/npm-publish.yml |
Adds tarball diff verification to avoid unsafe skip of unscoped alias publish. |
npm/bin/coven-code |
Updates reinstall guidance to prefer the scoped package. |
README.md |
Updates install / one-shot commands to use scoped package. |
docs/installation.md |
Updates installation examples to prefer scoped package. |
docs/src/content/installation.js |
Updates rendered installation snippets to prefer scoped package. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+254
to
+270
| published_package_matches_local() { | ||
| local package_name="$1" | ||
| local tmp_dir local_dir remote_dir | ||
| tmp_dir="$(mktemp -d)" | ||
| local_dir="$tmp_dir/local" | ||
| remote_dir="$tmp_dir/remote" | ||
| mkdir -p "$local_dir" "$remote_dir" | ||
|
|
||
| (cd npm && npm pack --pack-destination "$local_dir" >/dev/null) | ||
| npm pack "${package_name}@${VERSION}" --pack-destination "$remote_dir" >/dev/null | ||
|
|
||
| mkdir -p "$tmp_dir/local-unpacked" "$tmp_dir/remote-unpacked" | ||
| tar -xzf "$(find "$local_dir" -name '*.tgz' -print -quit)" -C "$tmp_dir/local-unpacked" | ||
| tar -xzf "$(find "$remote_dir" -name '*.tgz' -print -quit)" -C "$tmp_dir/remote-unpacked" | ||
|
|
||
| diff -qr "$tmp_dir/local-unpacked/package" "$tmp_dir/remote-unpacked/package" >/dev/null | ||
| } |
Comment on lines
+281
to
+287
| if published_package_matches_local "$package_name"; then | ||
| echo "${package_name}@${VERSION} is already published with the expected package contents; skipping." | ||
| continue | ||
| fi | ||
|
|
||
| echo "::error::${package_name}@${VERSION} already exists on npm with unexpected package contents." | ||
| exit 1 |
Comment on lines
+266
to
+267
| tar -xzf "$(find "$local_dir" -name '*.tgz' -print -quit)" -C "$tmp_dir/local-unpacked" | ||
| tar -xzf "$(find "$remote_dir" -name '*.tgz' -print -quit)" -C "$tmp_dir/remote-unpacked" |
BunsDev
force-pushed
the
codex/fix-unverified-npm-alias-vulnerability
branch
from
5555f48 to
c9f9d44
Compare
BunsDev
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
mainnow publishes only the scoped@opencoven/coven-codepackage, but user-facing install docs still promoted the unscopedcoven-codealias.npm publishwithout--ignore-scripts, leaving checked-out package lifecycle scripts able to run in the same step that hasNODE_AUTH_TOKEN.Description
@opencoven/coven-code.--ignore-scriptsto the scoped npm publish invocation while preserving provenance and--access public.main; the older unscoped-alias verification approach is no longer needed because the unscoped mirror is not published by this workflow.Testing
node scripts/prepare-npm-package.test.mjsgit diff --check origin/main...HEADbash -n /tmp/coven-code-npm-publish-step.shSupersedes #90.