@pnpm/releasing.commands 1100.2.10 → 1100.2.12

package/lib/publish/otp.d.ts

@@ -22,6 +22,11 @@ export interface OtpParams {
  * - Web based authentication flow (authUrl/doneUrl in error body with doneUrl polling)
  * - Classic OTP prompt (manual code entry)
  *
+ * The caller is responsible for supplying a {@link OtpContext.fetch} that
+ * honors the desired network configuration (proxy, TLS, etc.); see
+ * https://github.com/pnpm/pnpm/issues/11561 for why this matters during the
+ * web-based authentication flow.
+ *
  * @see https://github.com/npm/cli/blob/7d900c46/lib/utils/otplease.js for npm's implementation.
  * @see https://github.com/npm/npm-profile/blob/main/lib/index.js for the webauth polling flow.
  */

package/lib/publish/otp.js

@@ -5,6 +5,11 @@ import { SHARED_CONTEXT } from './utils/shared-context.js';
  * - Web based authentication flow (authUrl/doneUrl in error body with doneUrl polling)
  * - Classic OTP prompt (manual code entry)
  *
+ * The caller is responsible for supplying a {@link OtpContext.fetch} that
+ * honors the desired network configuration (proxy, TLS, etc.); see
+ * https://github.com/pnpm/pnpm/issues/11561 for why this matters during the
+ * web-based authentication flow.
+ *
  * @see https://github.com/npm/cli/blob/7d900c46/lib/utils/otplease.js for npm's implementation.
  * @see https://github.com/npm/npm-profile/blob/main/lib/index.js for the webauth polling flow.
  */

package/lib/publish/pack.js

@@ -171,6 +171,21 @@ export async function api(opts) {
     if (!manifest.version) {
         throw new PnpmError('PACKAGE_VERSION_NOT_FOUND', `Package version is not defined in the ${manifestFileName}.`);
     }
+    const publishManifest = await createPublishManifest({
+        projectDir: dir,
+        modulesDir: path.join(opts.dir, 'node_modules'),
+        manifest,
+        embedReadme: opts.embedReadme,
+        catalogs: opts.catalogs ?? {},
+        hooks: opts.hooks,
+    });
+    // Strip semver build metadata (the `+<build>` segment) from the published version so that
+    // the tarball, the manifest packed inside it, and the metadata sent to the registry all agree.
+    // libnpmpublish runs `semver.clean()` on `manifest.version` before computing the provenance
+    // subject, which removes build metadata. Leaving it in here would mismatch the version embedded
+    // in the tarball's package.json and cause the registry to reject the publish with a 422 when
+    // verifying the sigstore provenance bundle. See https://github.com/pnpm/pnpm/issues/11518.
+    publishManifest.version = stripBuildMetadata(publishManifest.version);
     let tarballName;
     let packDestination;
     const normalizedName = manifest.name.replace('@', '').replace('/', '-');
@@ -178,23 +193,15 @@ export async function api(opts) {
         if (opts.packDestination) {
             throw new PnpmError('INVALID_OPTION', 'Cannot use --pack-destination and --out together');
         }
-        const preparedOut = opts.out.replaceAll('%s', normalizedName).replaceAll('%v', manifest.version);
+        const preparedOut = opts.out.replaceAll('%s', normalizedName).replaceAll('%v', publishManifest.version);
         const parsedOut = path.parse(preparedOut);
         packDestination = parsedOut.dir ? parsedOut.dir : opts.packDestination;
         tarballName = parsedOut.base;
     }
     else {
-        tarballName = `${normalizedName}-${manifest.version}.tgz`;
+        tarballName = `${normalizedName}-${publishManifest.version}.tgz`;
         packDestination = opts.packDestination;
     }
-    const publishManifest = await createPublishManifest({
-        projectDir: dir,
-        modulesDir: path.join(opts.dir, 'node_modules'),
-        manifest,
-        embedReadme: opts.embedReadme,
-        catalogs: opts.catalogs ?? {},
-        hooks: opts.hooks,
-    });
     const files = await packlist(dir, {
         manifest: publishManifest,
     });
@@ -257,6 +264,10 @@ export async function api(opts) {
         unpackedSize,
     };
 }
+function stripBuildMetadata(version) {
+    const plusIndex = version.indexOf('+');
+    return plusIndex === -1 ? version : version.slice(0, plusIndex);
+}
 function preventBundledDependenciesWithoutHoistedNodeLinker(nodeLinker, manifest) {
     if (nodeLinker === 'hoisted')
         return;

package/lib/publish/publishPackedPkg.d.ts

@@ -1,7 +1,8 @@
 import type { Config } from '@pnpm/config.reader';
 import { PnpmError } from '@pnpm/error';
+import { type OtpContext } from './otp.js';
 import type { PackResult } from './pack.js';
-export type PublishPackedPkgOptions = Pick<Config, 'configByUri' | 'dryRun' | 'fetchRetries' | 'fetchRetryFactor' | 'fetchRetryMaxtimeout' | 'fetchRetryMintimeout' | 'fetchTimeout' | 'registries' | 'tag' | 'userAgent'> & {
+export type PublishPackedPkgOptions = Pick<Config, 'configByUri' | 'dryRun' | 'fetchRetries' | 'fetchRetryFactor' | 'fetchRetryMaxtimeout' | 'fetchRetryMintimeout' | 'fetchTimeout' | 'registries' | 'tag' | 'userAgent'> & Partial<Pick<Config, 'ca' | 'cert' | 'httpProxy' | 'httpsProxy' | 'key' | 'localAddress' | 'noProxy' | 'strictSsl'>> & {
     access?: 'public' | 'restricted';
     ci?: boolean;
     otp?: string;
@@ -37,6 +38,14 @@ export interface PublishSummary {
     bundled: string[];
 }
 export declare function publishPackedPkg(packResult: Pick<PackResult, 'publishedManifest' | 'tarballPath' | 'contents' | 'unpackedSize'>, opts: PublishPackedPkgOptions): Promise<PublishSummary>;
+/**
+ * Builds the {@link OtpContext} used to drive the publish. The default fetch
+ * is replaced by one that respects proxy / TLS / local-address settings, so
+ * the `doneUrl` polling in the web-based authentication flow goes through
+ * the same network configuration as the initial publish request (see
+ * https://github.com/pnpm/pnpm/issues/11561).
+ */
+export declare function createPublishContext(opts: PublishPackedPkgOptions): OtpContext;
 export declare class PublishUnsupportedRegistryProtocolError extends PnpmError {
     readonly registryUrl: string;
     constructor(registryUrl: string);

package/lib/publish/publishPackedPkg.js

@@ -3,6 +3,7 @@ import fs from 'node:fs/promises';
 import path from 'node:path';
 import { PnpmError } from '@pnpm/error';
 import { globalInfo, globalWarn } from '@pnpm/logger';
+import { createDispatchedFetch } from '@pnpm/network.fetch';
 import { displayError } from './displayError.js';
 import { executeTokenHelper } from './executeTokenHelper.js';
 import { createFailedToPublishError } from './FailedToPublishError.js';
@@ -11,6 +12,7 @@ import { getIdToken, IdTokenError } from './oidc/idToken.js';
 import { determineProvenance, ProvenanceError } from './oidc/provenance.js';
 import { publishWithOtpHandling } from './otp.js';
 import { allRegistryConfigKeys, parseSupportedRegistryUrl } from './registryConfigKeys.js';
+import { SHARED_CONTEXT } from './utils/shared-context.js';
 export async function publishPackedPkg(packResult, opts) {
     const { publishedManifest, tarballPath, contents, unpackedSize } = packResult;
     const tarballData = await fs.readFile(tarballPath);
@@ -37,13 +39,31 @@ export async function publishPackedPkg(packResult, opts) {
         globalWarn(`Skip publishing ${name}@${version} (dry run)`);
         return summary;
     }
-    const response = await publishWithOtpHandling({ manifest: publishedManifest, tarballData, publishOptions });
+    const response = await publishWithOtpHandling({
+        context: createPublishContext(opts),
+        manifest: publishedManifest,
+        publishOptions,
+        tarballData,
+    });
     if (response.ok) {
         globalInfo(`✅ Published package ${name}@${version}`);
         return summary;
     }
     throw await createFailedToPublishError(packResult, response);
 }
+/**
+ * Builds the {@link OtpContext} used to drive the publish. The default fetch
+ * is replaced by one that respects proxy / TLS / local-address settings, so
+ * the `doneUrl` polling in the web-based authentication flow goes through
+ * the same network configuration as the initial publish request (see
+ * https://github.com/pnpm/pnpm/issues/11561).
+ */
+export function createPublishContext(opts) {
+    return {
+        ...SHARED_CONTEXT,
+        fetch: createDispatchedFetch({ ...opts, timeout: opts.fetchTimeout }),
+    };
+}
 /**
  * npm accepts both `bundledDependencies` and `bundleDependencies` in package.json and normalizes
  * to a list of dependency names. We mirror that normalization so consumers see a consistent array.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/releasing.commands",
-  "version": "1100.2.10",
+  "version": "1100.2.12",
   "description": "Commands for deploy, pack, and publish",
   "keywords": [
     "pnpm",
@@ -27,58 +27,58 @@
     "@pnpm/npm-package-arg": "^2.0.0",
     "@types/normalize-path": "^3.0.2",
     "@zkochan/rimraf": "^4.0.0",
-    "chalk": "^5.6.2",
-    "ci-info": "^4.4.0",
-    "detect-libc": "^2.1.2",
+    "chalk": "^5.6.0",
+    "ci-info": "^4.3.0",
+    "detect-libc": "^2.0.3",
     "enquirer": "^2.4.1",
     "execa": "npm:safe-execa@0.3.0",
     "libnpmpublish": "^11.1.3",
     "normalize-path": "^3.0.0",
     "normalize-registry-url": "2.0.1",
     "p-filter": "^4.1.0",
-    "p-limit": "^7.3.0",
+    "p-limit": "^7.1.0",
     "ramda": "npm:@pnpm/ramda@0.28.1",
     "realpath-missing": "^2.0.0",
     "render-help": "^2.0.0",
-    "semver": "^7.7.4",
-    "tar-stream": "^3.2.0",
+    "semver": "^7.7.2",
+    "tar-stream": "^3.1.7",
     "tempy": "3.0.0",
-    "tinyglobby": "^0.2.16",
+    "tinyglobby": "^0.2.14",
     "validate-npm-package-name": "7.0.2",
     "write-json-file": "^7.0.0",
     "write-yaml-file": "^6.0.0",
-    "@pnpm/bins.resolver": "1100.0.2",
-    "@pnpm/catalogs.types": "1100.0.0",
     "@pnpm/cli.common-cli-options-help": "1100.0.1",
-    "@pnpm/cli.utils": "1101.0.2",
-    "@pnpm/config.reader": "1101.2.1",
-    "@pnpm/config.pick-registry-for-package": "1100.0.2",
+    "@pnpm/bins.resolver": "1100.0.3",
+    "@pnpm/catalogs.types": "1100.0.0",
+    "@pnpm/config.reader": "1101.3.0",
+    "@pnpm/cli.utils": "1101.0.3",
+    "@pnpm/config.pick-registry-for-package": "1100.0.3",
+    "@pnpm/deps.path": "1100.0.3",
+    "@pnpm/engine.runtime.node-resolver": "1101.0.7",
+    "@pnpm/engine.runtime.commands": "1100.0.13",
     "@pnpm/constants": "1100.0.0",
-    "@pnpm/deps.path": "1100.0.2",
-    "@pnpm/engine.runtime.commands": "1100.0.11",
-    "@pnpm/engine.runtime.node-resolver": "1101.0.5",
     "@pnpm/error": "1100.0.0",
-    "@pnpm/exec.lifecycle": "1100.0.6",
+    "@pnpm/exec.lifecycle": "1100.0.8",
     "@pnpm/exec.pnpm-cli-runner": "1100.0.0",
-    "@pnpm/fetching.directory-fetcher": "1100.0.6",
-    "@pnpm/fs.indexed-pkg-importer": "1100.0.5",
+    "@pnpm/fetching.directory-fetcher": "1100.0.8",
+    "@pnpm/fs.indexed-pkg-importer": "1100.0.6",
     "@pnpm/fs.is-empty-dir-or-nothing": "1100.0.0",
-    "@pnpm/fs.packlist": "1100.0.0",
-    "@pnpm/installing.client": "1100.0.11",
-    "@pnpm/installing.commands": "1100.1.11",
-    "@pnpm/lockfile.fs": "1100.0.6",
-    "@pnpm/lockfile.types": "1100.0.4",
-    "@pnpm/network.fetch": "1100.0.2",
+    "@pnpm/fs.packlist": "1100.0.1",
+    "@pnpm/installing.client": "1100.0.13",
+    "@pnpm/lockfile.fs": "1100.0.7",
+    "@pnpm/network.fetch": "1100.0.3",
     "@pnpm/network.git-utils": "1100.0.1",
     "@pnpm/network.web-auth": "1101.0.0",
-    "@pnpm/releasing.exportable-manifest": "1100.0.3",
-    "@pnpm/resolving.resolver-base": "1100.1.2",
-    "@pnpm/types": "1101.0.0",
-    "@pnpm/workspace.projects-filter": "1100.0.8",
-    "@pnpm/workspace.projects-sorter": "1100.0.1"
+    "@pnpm/lockfile.types": "1100.0.5",
+    "@pnpm/installing.commands": "1100.2.0",
+    "@pnpm/releasing.exportable-manifest": "1100.0.4",
+    "@pnpm/types": "1101.1.0",
+    "@pnpm/workspace.projects-filter": "1100.0.10",
+    "@pnpm/resolving.resolver-base": "1100.1.3",
+    "@pnpm/workspace.projects-sorter": "1100.0.2"
   },
   "peerDependencies": {
-    "@pnpm/logger": "^1001.0.1"
+    "@pnpm/logger": ">=1001.0.0 <1002.0.0"
   },
   "devDependencies": {
     "@jest/globals": "30.3.0",
@@ -92,20 +92,20 @@
     "@types/tar": "^7.0.87",
     "@types/tar-stream": "^3.1.4",
     "@types/validate-npm-package-name": "^4.0.2",
-    "ci-info": "^4.4.0",
+    "ci-info": "^4.3.0",
     "cross-spawn": "^7.0.6",
     "is-windows": "^1.0.2",
     "load-json-file": "^7.0.1",
-    "tar": "^7.5.13",
-    "undici": "^7.25.0",
+    "tar": "^7.5.10",
+    "undici": "^7.2.0",
     "write-yaml-file": "^6.0.0",
-    "@pnpm/assert-project": "1100.0.5",
+    "@pnpm/assert-project": "1100.0.7",
     "@pnpm/catalogs.config": "1100.0.0",
-    "@pnpm/hooks.pnpmfile": "1100.0.6",
     "@pnpm/logger": "1100.0.0",
-    "@pnpm/prepare": "1100.0.5",
-    "@pnpm/releasing.commands": "1100.2.10",
+    "@pnpm/hooks.pnpmfile": "1100.0.7",
+    "@pnpm/releasing.commands": "1100.2.12",
     "@pnpm/test-fixtures": "1100.0.0",
+    "@pnpm/prepare": "1100.0.7",
     "@pnpm/test-ipc-server": "1100.0.0",
     "@pnpm/testing.command-defaults": "1100.0.1"
   },