Skip to content

fix(npm): prefer scoped package and harden publish#91

Merged
BunsDev merged 1 commit into
mainfrom
codex/fix-unverified-npm-alias-vulnerability
Jun 16, 2026
Merged

fix(npm): prefer scoped package and harden publish#91
BunsDev merged 1 commit into
mainfrom
codex/fix-unverified-npm-alias-vulnerability

Conversation

@BunsDev

@BunsDev BunsDev commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Member

Motivation

  • Current main now publishes only the scoped @opencoven/coven-code package, but user-facing install docs still promoted the unscoped coven-code alias.
  • The npm publish workflow still ran npm publish without --ignore-scripts, leaving checked-out package lifecycle scripts able to run in the same step that has NODE_AUTH_TOKEN.

Description

  • Updates README, installation docs, rendered docs content, and the native-wrapper reinstall hint to prefer @opencoven/coven-code.
  • Adds --ignore-scripts to the scoped npm publish invocation while preserving provenance and --access public.
  • Keeps the scoped-only publish flow from current main; the older unscoped-alias verification approach is no longer needed because the unscoped mirror is not published by this workflow.

Testing

  • node scripts/prepare-npm-package.test.mjs
  • git diff --check origin/main...HEAD
  • extracted the publish shell block and ran bash -n /tmp/coven-code-npm-publish-step.sh

Supersedes #90.

Copilot AI review requested due to automatic review settings June 15, 2026 13:22
@vercel

vercel Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview Jun 16, 2026 5:19am

Copilot AI reviewed Jun 15, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Hardens the npm publish workflow to prevent silently skipping publication of the unscoped coven-code alias when a matching version already exists on npm but may not be the official package, and updates docs/messaging to prefer the scoped package.

Changes:

  • Add a workflow helper that compares local vs remote package tarball contents before skipping the unscoped alias publish.
  • Prefer @opencoven/coven-code in README and installation docs (including npx/bunx examples).
  • Update the CLI wrapper error message to recommend reinstalling the scoped package.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
.github/workflows/npm-publish.yml Adds tarball diff verification to avoid unsafe skip of unscoped alias publish.
npm/bin/coven-code Updates reinstall guidance to prefer the scoped package.
README.md Updates install / one-shot commands to use scoped package.
docs/installation.md Updates installation examples to prefer scoped package.
docs/src/content/installation.js Updates rendered installation snippets to prefer scoped package.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/npm-publish.yml Outdated
Comment on lines +254 to +270
published_package_matches_local() {
local package_name="$1"
local tmp_dir local_dir remote_dir
tmp_dir="$(mktemp -d)"
local_dir="$tmp_dir/local"
remote_dir="$tmp_dir/remote"
mkdir -p "$local_dir" "$remote_dir"

(cd npm && npm pack --pack-destination "$local_dir" >/dev/null)
npm pack "${package_name}@${VERSION}" --pack-destination "$remote_dir" >/dev/null

mkdir -p "$tmp_dir/local-unpacked" "$tmp_dir/remote-unpacked"
tar -xzf "$(find "$local_dir" -name '*.tgz' -print -quit)" -C "$tmp_dir/local-unpacked"
tar -xzf "$(find "$remote_dir" -name '*.tgz' -print -quit)" -C "$tmp_dir/remote-unpacked"

diff -qr "$tmp_dir/local-unpacked/package" "$tmp_dir/remote-unpacked/package" >/dev/null
}
Comment thread .github/workflows/npm-publish.yml Outdated
Comment on lines +281 to +287
if published_package_matches_local "$package_name"; then
echo "${package_name}@${VERSION} is already published with the expected package contents; skipping."
continue
fi

echo "::error::${package_name}@${VERSION} already exists on npm with unexpected package contents."
exit 1
Comment thread .github/workflows/npm-publish.yml Outdated
Comment on lines +266 to +267
tar -xzf "$(find "$local_dir" -name '*.tgz' -print -quit)" -C "$tmp_dir/local-unpacked"
tar -xzf "$(find "$remote_dir" -name '*.tgz' -print -quit)" -C "$tmp_dir/remote-unpacked"
@BunsDev BunsDev force-pushed the codex/fix-unverified-npm-alias-vulnerability branch from 5555f48 to c9f9d44 Compare June 16, 2026 05:19
@BunsDev BunsDev changed the title fix(npm): verify unscoped alias before skip fix(npm): prefer scoped package and harden publish Jun 16, 2026
@BunsDev BunsDev mentioned this pull request Jun 16, 2026
Closed
@BunsDev BunsDev merged commit cafc44b into main Jun 16, 2026
1 check passed
@BunsDev BunsDev deleted the codex/fix-unverified-npm-alias-vulnerability branch June 16, 2026 06:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BunsDev