Skip to content

Pin npm to major 11 in npm publish workflow#104

Merged
tehw0lf merged 1 commit into
mainfrom
fix/pin-npm-11-sigstore
Jul 9, 2026
Merged

Pin npm to major 11 in npm publish workflow#104
tehw0lf merged 1 commit into
mainfrom
fix/pin-npm-11-sigstore

Conversation

@tehw0lf

@tehw0lf tehw0lf commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Problem

npm publish --provenance fails in the publish_npm_libraries job with Cannot find module 'sigstore'. The workflow installs npm@latest, which since 2026-07-08 resolves to npm 12.0.0 — that release ships without the sigstore module its own libnpmpublish requires (npm/cli#9722).

This broke the publish of @tehw0lf/n8n-nodes-unix-socket-bridge@1.4.5 on main.

Fix

Pin the install step to npm@11 (latest 11.x). OIDC trusted publishing only needs npm >= 11.5.1, so nothing is lost. The pin can be relaxed back to latest once npm 12.0.1 ships the fix.

Summary by CodeRabbit

  • Chores
    • Updated the publishing workflow to use a pinned npm major version for more consistent package publishing.
    • Improved reliability of provenance-enabled npm publishes, reducing the risk of publish failures caused by newer npm behavior.

- npm 12.0.0 ships without the sigstore module, breaking
  npm publish --provenance with MODULE_NOT_FOUND (npm/cli#9722)
- npm@11 keeps OIDC trusted publishing support (>= 11.5.1)
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The npm publishing workflow now installs the pinned npm@11 version globally, with comments documenting its compatibility with OIDC and provenance publishing.

Changes

npm publishing workflow

Layer / File(s) Summary
Pin npm version for publishing
.github/workflows/publish-npm-libraries.yml
The workflow replaces installation of the latest npm with npm@11 and documents the provenance compatibility rationale.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: pinning npm to major 11 in the publish workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/pin-npm-11-sigstore

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish-npm-libraries.yml:
- Around line 85-88: Add security-events: write to the workflow permissions
block in the publish-npm-libraries GitHub Actions workflow so SARIF upload steps
can succeed. Update the existing permissions section alongside id-token: write
and keep the change scoped to the workflow-level permissions used by the
publishing/security steps.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: aef929cd-e611-4428-a013-d1d7ef5ef231

📥 Commits

Reviewing files that changed from the base of the PR and between a314f09 and 00e8126.

📒 Files selected for processing (1)
  • .github/workflows/publish-npm-libraries.yml

Comment thread .github/workflows/publish-npm-libraries.yml
@tehw0lf tehw0lf merged commit d74d445 into main Jul 9, 2026
3 checks passed
@tehw0lf tehw0lf deleted the fix/pin-npm-11-sigstore branch July 9, 2026 22:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant