@pnpm/releasing.commands 1100.2.10 → 1100.2.11

package/lib/publish/pack.js

@@ -171,6 +171,21 @@ export async function api(opts) {
     if (!manifest.version) {
         throw new PnpmError('PACKAGE_VERSION_NOT_FOUND', `Package version is not defined in the ${manifestFileName}.`);
     }
+    const publishManifest = await createPublishManifest({
+        projectDir: dir,
+        modulesDir: path.join(opts.dir, 'node_modules'),
+        manifest,
+        embedReadme: opts.embedReadme,
+        catalogs: opts.catalogs ?? {},
+        hooks: opts.hooks,
+    });
+    // Strip semver build metadata (the `+<build>` segment) from the published version so that
+    // the tarball, the manifest packed inside it, and the metadata sent to the registry all agree.
+    // libnpmpublish runs `semver.clean()` on `manifest.version` before computing the provenance
+    // subject, which removes build metadata. Leaving it in here would mismatch the version embedded
+    // in the tarball's package.json and cause the registry to reject the publish with a 422 when
+    // verifying the sigstore provenance bundle. See https://github.com/pnpm/pnpm/issues/11518.
+    publishManifest.version = stripBuildMetadata(publishManifest.version);
     let tarballName;
     let packDestination;
     const normalizedName = manifest.name.replace('@', '').replace('/', '-');
@@ -178,23 +193,15 @@ export async function api(opts) {
         if (opts.packDestination) {
             throw new PnpmError('INVALID_OPTION', 'Cannot use --pack-destination and --out together');
         }
-        const preparedOut = opts.out.replaceAll('%s', normalizedName).replaceAll('%v', manifest.version);
+        const preparedOut = opts.out.replaceAll('%s', normalizedName).replaceAll('%v', publishManifest.version);
         const parsedOut = path.parse(preparedOut);
         packDestination = parsedOut.dir ? parsedOut.dir : opts.packDestination;
         tarballName = parsedOut.base;
     }
     else {
-        tarballName = `${normalizedName}-${manifest.version}.tgz`;
+        tarballName = `${normalizedName}-${publishManifest.version}.tgz`;
         packDestination = opts.packDestination;
     }
-    const publishManifest = await createPublishManifest({
-        projectDir: dir,
-        modulesDir: path.join(opts.dir, 'node_modules'),
-        manifest,
-        embedReadme: opts.embedReadme,
-        catalogs: opts.catalogs ?? {},
-        hooks: opts.hooks,
-    });
     const files = await packlist(dir, {
         manifest: publishManifest,
     });
@@ -257,6 +264,10 @@ export async function api(opts) {
         unpackedSize,
     };
 }
+function stripBuildMetadata(version) {
+    const plusIndex = version.indexOf('+');
+    return plusIndex === -1 ? version : version.slice(0, plusIndex);
+}
 function preventBundledDependenciesWithoutHoistedNodeLinker(nodeLinker, manifest) {
     if (nodeLinker === 'hoisted')
         return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/releasing.commands",
-  "version": "1100.2.10",
+  "version": "1100.2.11",
   "description": "Commands for deploy, pack, and publish",
   "keywords": [
     "pnpm",
@@ -47,35 +47,35 @@
     "validate-npm-package-name": "7.0.2",
     "write-json-file": "^7.0.0",
     "write-yaml-file": "^6.0.0",
-    "@pnpm/bins.resolver": "1100.0.2",
     "@pnpm/catalogs.types": "1100.0.0",
-    "@pnpm/cli.common-cli-options-help": "1100.0.1",
-    "@pnpm/cli.utils": "1101.0.2",
-    "@pnpm/config.reader": "1101.2.1",
     "@pnpm/config.pick-registry-for-package": "1100.0.2",
-    "@pnpm/constants": "1100.0.0",
+    "@pnpm/cli.utils": "1101.0.2",
+    "@pnpm/config.reader": "1101.2.2",
     "@pnpm/deps.path": "1100.0.2",
-    "@pnpm/engine.runtime.commands": "1100.0.11",
-    "@pnpm/engine.runtime.node-resolver": "1101.0.5",
+    "@pnpm/constants": "1100.0.0",
+    "@pnpm/engine.runtime.commands": "1100.0.12",
+    "@pnpm/engine.runtime.node-resolver": "1101.0.6",
+    "@pnpm/exec.lifecycle": "1100.0.7",
     "@pnpm/error": "1100.0.0",
-    "@pnpm/exec.lifecycle": "1100.0.6",
+    "@pnpm/fetching.directory-fetcher": "1100.0.7",
     "@pnpm/exec.pnpm-cli-runner": "1100.0.0",
-    "@pnpm/fetching.directory-fetcher": "1100.0.6",
     "@pnpm/fs.indexed-pkg-importer": "1100.0.5",
+    "@pnpm/fs.packlist": "1100.0.1",
     "@pnpm/fs.is-empty-dir-or-nothing": "1100.0.0",
-    "@pnpm/fs.packlist": "1100.0.0",
-    "@pnpm/installing.client": "1100.0.11",
-    "@pnpm/installing.commands": "1100.1.11",
+    "@pnpm/installing.client": "1100.0.12",
+    "@pnpm/installing.commands": "1100.1.12",
     "@pnpm/lockfile.fs": "1100.0.6",
     "@pnpm/lockfile.types": "1100.0.4",
     "@pnpm/network.fetch": "1100.0.2",
     "@pnpm/network.git-utils": "1100.0.1",
-    "@pnpm/network.web-auth": "1101.0.0",
     "@pnpm/releasing.exportable-manifest": "1100.0.3",
+    "@pnpm/network.web-auth": "1101.0.0",
     "@pnpm/resolving.resolver-base": "1100.1.2",
+    "@pnpm/workspace.projects-filter": "1100.0.9",
+    "@pnpm/workspace.projects-sorter": "1100.0.1",
     "@pnpm/types": "1101.0.0",
-    "@pnpm/workspace.projects-filter": "1100.0.8",
-    "@pnpm/workspace.projects-sorter": "1100.0.1"
+    "@pnpm/cli.common-cli-options-help": "1100.0.1",
+    "@pnpm/bins.resolver": "1100.0.2"
   },
   "peerDependencies": {
     "@pnpm/logger": "^1001.0.1"
@@ -99,12 +99,12 @@
     "tar": "^7.5.13",
     "undici": "^7.25.0",
     "write-yaml-file": "^6.0.0",
-    "@pnpm/assert-project": "1100.0.5",
-    "@pnpm/catalogs.config": "1100.0.0",
+    "@pnpm/assert-project": "1100.0.6",
     "@pnpm/hooks.pnpmfile": "1100.0.6",
+    "@pnpm/catalogs.config": "1100.0.0",
     "@pnpm/logger": "1100.0.0",
-    "@pnpm/prepare": "1100.0.5",
-    "@pnpm/releasing.commands": "1100.2.10",
+    "@pnpm/releasing.commands": "1100.2.11",
+    "@pnpm/prepare": "1100.0.6",
     "@pnpm/test-fixtures": "1100.0.0",
     "@pnpm/test-ipc-server": "1100.0.0",
     "@pnpm/testing.command-defaults": "1100.0.1"