Fix concurrent-publish race in package build scripts

[ericglau]

Problem

changeset publish runs each package's prepare concurrently. core's prepare deleted core/dist (via yarn clean) while plugin-hardhat's prepare ran hardhat compile, which loads core/dist — so co-releases intermittently failed with Cannot find package …/upgrades-core/dist/index.js.

Root cause

In plugin-hardhat, prepare delegated to compile, so the publishable build inherited a dev/test step — hardhat compile, which loads core/dist. Run concurrently by changeset publish, that load raced core's prepare, which cleans core/dist.

Fix — separate prepare (the publishable build) from compile (the dev/test build)

• plugin-hardhat prepare now does only the TypeScript build, so the publishable build no longer runs hardhat compile and never loads core/dist.
• core prepare no longer cleans, so it no longer deletes core/dist mid-publish.
• plugin-hardhat compile still runs hardhat compile to build the plugin's test contracts — that step is just no longer pulled into the publishable prepare.

With each entry point owning its purpose, the concurrent prepares no longer touch each other's output. publish.sh is unchanged, and published artifacts are identical (verified via npm pack file lists).

Summary by CodeRabbit

• Chores
  • Updated build configuration in core package. The prepare script now compiles before copying build artifacts instead of just cleaning.
  • Updated build configuration in Hardhat plugin package. The compile script adjusted to use TypeScript build without force flag, and prepare script now runs TypeScript compilation directly.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 488c6ac2-0c11-41f9-8b9c-0b3c6ebd8f01

📥 Commits

Reviewing files that changed from the base of the PR and between 490cd7b and 541f5c6.

📒 Files selected for processing (2)

• packages/core/package.json
• packages/plugin-hardhat/package.json

---

Walkthrough

This PR streamlines npm build scripts across the core and hardhat plugin packages by removing redundant build steps and optimizing TypeScript compilation invocation. The prepare script in core no longer cleans before compiling, and the hardhat plugin removes the --force flag while inlining TypeScript compilation directly.

Changes

Build script lifecycle optimization

Layer / File(s)	Summary
Core package prepare script cleanup packages/core/package.json	The prepare script removes the preceding yarn clean step, running only compilation and file copying operations.
Hardhat plugin compile and prepare optimization packages/plugin-hardhat/package.json	The compile script drops the --force flag from tsc -b, and prepare directly invokes tsc -b instead of delegating to the compile script, reducing indirection.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• OpenZeppelin/openzeppelin-upgrades#1252: Both PRs modify packages/plugin-hardhat/package.json build scripts—especially scripts.compile—to change how tsc -b rebuilds before hardhat compile (related PR adds --force, main PR removes it).

Suggested reviewers

• tirumerla

Poem

🐰 The scripts grow lean and clean today,
No --force flags get in the way,
We clean less, compile more direct,
The build pipeline, now correct! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately identifies the core problem being fixed: a race condition in concurrent package build scripts during publish. It directly aligns with the changeset's focus on modifying prepare and compile scripts to eliminate concurrent execution conflicts.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	undici@​6.26.0 ⏵ 8.3.0	-26		+1	+1
	promisified@​0.5.0
	wsrun@​5.2.4
	proper-lockfile@​4.1.2
	@​types/​node@​20.19.21
	solidity-ast@​0.4.60
	rimraf@​5.0.10
	minimist@​1.2.8
	nyc@​17.0.0
	minimatch@​9.0.9 ⏵ 10.2.5			+1
	typescript@​5.9.3 ⏵ 5.5.4
	sinon@​20.0.0
	prettier@​3.3.3
	@​nomicfoundation/​hardhat-ethers@​4.0.12 ⏵ 4.0.5				-1

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

• rimraf@5.0.10
• rimraf@3.0.2
• safe-buffer@5.1.2
• safe-buffer@5.2.1
• nyc@17.0.0
• wsrun@5.2.4
• path-exists@3.0.0
• path-exists@4.0.0
• minimist@1.2.8
• natural-compare@1.4.0
• ts-api-utils@1.3.0
• optionator@0.9.4
• text-table@0.2.0
• yocto-queue@0.1.0
• prettier-linter-helpers@1.0.0
• synckit@0.9.1
• pluralize@8.0.0
• read-pkg-up@7.0.1
• regexp-tree@0.1.27
• regjsparser@0.10.0
• strip-indent@3.0.0
• node-preload@0.2.1
• process-on-spawn@1.0.0
• spawn-wrap@2.0.0
• test-exclude@6.0.0
• split@1.0.1
• throat@4.1.0
• require-main-filename@2.0.0
• set-blocking@2.0.0
• which-module@2.0.1
• mri@1.2.0
• package-manager-detector@0.2.11
• spawndamnit@3.0.1
• term-size@2.2.1
• proper-lockfile@4.1.2
• promisified@0.5.0
• sinon@20.0.0
• normalize-path@3.0.0
• strip-json-comments@3.1.1
• uri-js@4.4.1
• prelude-ls@1.2.1
• type-check@0.4.0
• word-wrap@1.2.5
• read-pkg@5.2.0
• min-indent@1.0.1
• package-hash@4.0.0
• pkg-dir@4.2.0
• once@1.4.0
• path-is-absolute@1.0.1
• source-map@0.6.1
• through@2.3.8
• p-try@2.2.0
• outdent@0.5.0
• p-filter@2.1.0
• read-yaml-file@1.1.0
• strip-bom@3.0.0
• strip-bom@4.0.0
• universalify@0.1.2
• tmp@0.0.33
• quansync@0.2.10
• rlp@2.2.7
• pbkdf2@3.1.6
• ripemd160@2.0.3
• ripemd160@2.0.2
• readable-stream@2.3.8
• readable-stream@3.6.2
• string_decoder@1.1.1
• string_decoder@1.3.0
• randombytes@2.1.0
• scrypt-js@3.0.1
• secp256k1@4.0.4
• node-addon-api@5.1.0
• node-addon-api@2.0.2
• setimmediate@1.0.5
• strip-final-newline@4.0.0
• yoctocolors@2.1.2
• mnemonist@0.38.5
• mocha@10.8.2
• raw-body@2.5.2
• solc@0.8.26
• source-map-support@0.5.21
• stacktrace-parser@0.1.11
• tinyglobby@0.2.15
• tsort@0.0.1
• path-parse@1.0.7
• parent-module@1.0.1
• punycode@2.3.1
• node-releases@2.0.18
• update-browserslist-db@1.1.0
• normalize-package-data@2.5.0
• parse-json@5.2.0
• release-zalgo@1.0.0
• typedarray-to-buffer@3.1.5
• wrappy@1.0.2
• p-finally@1.0.0
• strip-eof@1.0.0
• nice-try@1.0.5
• pify@4.0.1
• safer-buffer@2.1.2
• os-tmpdir@1.0.2
• sha.js@2.4.12
• minimalistic-assert@1.0.1
• to-buffer@1.2.2
• process-nextick-args@2.0.1
• util-deprecate@1.0.2
• widest-line@3.1.0
• obliterator@2.0.5
• serialize-javascript@6.0.2
• workerpool@6.5.1
• yargs-unparser@2.0.0
• unpipe@1.0.0
• proxy-from-env@2.1.0
• resolve-pkg-maps@1.0.0
• validate-npm-package-license@3.0.4
• to-fast-properties@2.0.0
• pump@3.0.0
• typed-array-buffer@1.0.3
• minimalistic-crypto-utils@1.0.1
• setprototypeof@1.2.0
• statuses@2.0.1
• toidentifier@1.0.1
• unfetch@4.2.0
• mime-types@2.1.35
• supports-preserve-symlinks-flag@1.0.0
• spdx-correct@3.2.0
• spdx-expression-parse@3.0.1
• emoji-regex@7.0.3
• string-width@3.1.0
• @types/node@20.19.21
• ansi-regex@4.1.1
• cliui@5.0.0
• cliui@7.0.4
• is-fullwidth-code-point@2.0.0
• wrap-ansi@5.1.0
• escalade@3.1.2
• node-gyp-build@4.8.1
• path-type@4.0.0
• readdirp@3.6.0
• signal-exit@3.0.7
• slash@3.0.0
• tslib@2.6.3
• type-fest@0.20.2
• type-fest@0.6.0
• type-fest@0.7.1
• undici-types@6.21.0
• write-file-atomic@3.0.3
• y18n@4.0.3
• yallist@3.1.1
• yargs@13.3.2
• yargs@15.4.1
• yargs@16.2.0
• yargs-parser@13.1.2
• yargs-parser@18.1.3
• yargs-parser@20.2.9
• npm-run-path@2.0.2
• picocolors@1.1.1
• jsesc@0.5.0
• supports-color@7.2.0
• supports-color@8.1.1
• prettier@3.3.3
• solidity-ast@0.4.60
• type-detect@4.0.8
• uuid@8.3.2
• retry@0.12.0
• decamelize@4.0.0
• diff@7.0.0
• find-up@3.0.0
• locate-path@3.0.0
• p-limit@2.3.0
• p-locate@3.0.0
• p-locate@4.1.0
• resolve@1.22.8
• hash-base@3.1.2
• is-plain-obj@2.1.0
• isarray@2.0.5
• @nomicfoundation/hardhat-ethers@4.0.5
• @sentry/core@9.46.0
• brace-expansion@1.1.11
• brace-expansion@2.0.1
• strip-ansi@5.2.0
• glob@8.1.0
• ws@8.18.3
• minimatch@10.2.5
• minimatch@3.1.2
• minimatch@5.1.6
• minipass@7.1.2
• p-map@3.0.0
• p-map@2.1.0
• reusify@1.0.4
• semver@7.6.3
• tar@7.5.16
• tsx@4.20.6
• typescript@5.5.4
• undici@6.24.0
• undici@8.3.0

View full report

[ericglau]

@SocketSecurity ignore-all