Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm pack should prepare manifests the same as publish #679

Closed
lukekarrys opened this issue Jun 2, 2023 · 2 comments
Closed

npm pack should prepare manifests the same as publish #679

lukekarrys opened this issue Jun 2, 2023 · 2 comments

Comments

@lukekarrys
Copy link
Contributor

currently the pack command does not use anything except pacote to prepare the manifest before creating a tarball. this behavior being different than publish can lead to subtle bugs such as the one caught during v9.7.0 release (TODO LINK).

in this case our smoke test was packing and installing a tarball with the assumption that the only difference was the scripts being run and the registry being hit. but since the bins ended up being different the bug wasn't caught.

i know we want to make less things in the manifest altered during publish, but i think an initial push towards parity between both commands will make future changes easier to implement across both commands.

breaking change?

i think that applying the same behavior to a tarball during pack as during publish should be considered a bugfix. my guess is that creating a tarball during publish is much more popular than packing and publishing separately.
@ljharb
Copy link

ljharb commented Jun 2, 2023

It is a massive bug for npm publish to be literally anything but npm pack + upload the tarball, so I totally agree that should be a bugfix.

What is the exact difference right now, and since when was that the case?

@lukekarrys
Copy link
Contributor Author

My initial assessment above was correct in that pack and prepare do different things to prepare a package.json before creating the tarball. But I was incorrect in thinking this had any effect on the bug I encountered in the CLI.

The fundamental issue is that the CLI does some altering of the packument before it is published, and has done this since forever.

When you run npm publish the CLI will get the package.json and alter it to create a packument, pack the tarball, and then upload both the tarball and packument to the registry. When you run npm pack, the CLI will only create the tarball (which is identical to the tarball created by npm publish with the same inputs).

The difference is when you go to npm install the artifacts of those pack/publish commands. When you run npm install $TARBALL, there is no concept of a packument other than the package.json inside the tarball. But npm install $SPEC will get that altered packument from the registry and use that as the source of truth above the tarball's package.json.

Stopping the practice of altering packuments during publish will be a breaking change that we're looking to make as part of npm@10 (#487). Further work around that will be tracked in that issue, so I'm going to close this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ljharb @lukekarrys