fix(npm): verify unscoped alias before skip#91
Open
BunsDev wants to merge 1 commit into
Open
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Hardens the npm publish workflow to prevent silently skipping publication of the unscoped coven-code alias when a matching version already exists on npm but may not be the official package, and updates docs/messaging to prefer the scoped package.
Changes:
- Add a workflow helper that compares local vs remote package tarball contents before skipping the unscoped alias publish.
- Prefer
@opencoven/coven-codein README and installation docs (including npx/bunx examples). - Update the CLI wrapper error message to recommend reinstalling the scoped package.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/npm-publish.yml |
Adds tarball diff verification to avoid unsafe skip of unscoped alias publish. |
npm/bin/coven-code |
Updates reinstall guidance to prefer the scoped package. |
README.md |
Updates install / one-shot commands to use scoped package. |
docs/installation.md |
Updates installation examples to prefer scoped package. |
docs/src/content/installation.js |
Updates rendered installation snippets to prefer scoped package. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+254
to
+270
| published_package_matches_local() { | ||
| local package_name="$1" | ||
| local tmp_dir local_dir remote_dir | ||
| tmp_dir="$(mktemp -d)" | ||
| local_dir="$tmp_dir/local" | ||
| remote_dir="$tmp_dir/remote" | ||
| mkdir -p "$local_dir" "$remote_dir" | ||
|
|
||
| (cd npm && npm pack --pack-destination "$local_dir" >/dev/null) | ||
| npm pack "${package_name}@${VERSION}" --pack-destination "$remote_dir" >/dev/null | ||
|
|
||
| mkdir -p "$tmp_dir/local-unpacked" "$tmp_dir/remote-unpacked" | ||
| tar -xzf "$(find "$local_dir" -name '*.tgz' -print -quit)" -C "$tmp_dir/local-unpacked" | ||
| tar -xzf "$(find "$remote_dir" -name '*.tgz' -print -quit)" -C "$tmp_dir/remote-unpacked" | ||
|
|
||
| diff -qr "$tmp_dir/local-unpacked/package" "$tmp_dir/remote-unpacked/package" >/dev/null | ||
| } |
Comment on lines
+281
to
+287
| if published_package_matches_local "$package_name"; then | ||
| echo "${package_name}@${VERSION} is already published with the expected package contents; skipping." | ||
| continue | ||
| fi | ||
|
|
||
| echo "::error::${package_name}@${VERSION} already exists on npm with unexpected package contents." | ||
| exit 1 |
Comment on lines
+266
to
+267
| tar -xzf "$(find "$local_dir" -name '*.tgz' -print -quit)" -C "$tmp_dir/local-unpacked" | ||
| tar -xzf "$(find "$remote_dir" -name '*.tgz' -print -quit)" -C "$tmp_dir/remote-unpacked" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
coven-codepackage when that exact version already existed on npm without verifying ownership or package contents, which can enable an attacker-controlled package to be mistaken for the official one.Description
published_package_matches_localhelper in.github/workflows/npm-publish.ymlthatnpm packs the local package and the remote package version, unpacks both tarballs, anddiffs their contents before deciding to skip publishing the unscoped alias.@opencoven/coven-codepackage; for the unscopedcoven-codethe job will skip only when the remote package contents match the locally prepared package and willexit 1when contents do not match.README.md,docs/installation.md, anddocs/src/content/installation.jsto prefer the scoped@opencoven/coven-codepackage for installs andnpx/bunx.npm/bin/coven-codeto instruct users to reinstall from the scoped@opencoven/coven-codepackage when the native binary is missing.Testing
node scripts/prepare-npm-package.test.mjsand it completed successfully.bash -n /tmp/npm-publish-step.shand it reported no syntax errors.git diff --checkandgit statusand found no whitespace or diff errors.Codex Task