Pin npm to major 11 in npm publish workflow#104
Merged
Conversation
- npm 12.0.0 ships without the sigstore module, breaking npm publish --provenance with MODULE_NOT_FOUND (npm/cli#9722) - npm@11 keeps OIDC trusted publishing support (>= 11.5.1)
📝 WalkthroughWalkthroughThe npm publishing workflow now installs the pinned Changesnpm publishing workflow
Estimated code review effort: 1 (Trivial) | ~5 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish-npm-libraries.yml:
- Around line 85-88: Add security-events: write to the workflow permissions
block in the publish-npm-libraries GitHub Actions workflow so SARIF upload steps
can succeed. Update the existing permissions section alongside id-token: write
and keep the change scoped to the workflow-level permissions used by the
publishing/security steps.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: aef929cd-e611-4428-a013-d1d7ef5ef231
📒 Files selected for processing (1)
.github/workflows/publish-npm-libraries.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
npm publish --provenancefails in thepublish_npm_librariesjob withCannot find module 'sigstore'. The workflow installsnpm@latest, which since 2026-07-08 resolves to npm 12.0.0 — that release ships without thesigstoremodule its ownlibnpmpublishrequires (npm/cli#9722).This broke the publish of
@tehw0lf/n8n-nodes-unix-socket-bridge@1.4.5on main.Fix
Pin the install step to
npm@11(latest 11.x). OIDC trusted publishing only needs npm >= 11.5.1, so nothing is lost. The pin can be relaxed back tolatestonce npm 12.0.1 ships the fix.Summary by CodeRabbit