mopub 0.0.3 → 0.1.0

package/dist/publish.js

@@ -19,7 +19,7 @@ export const PublishInput = z
         .optional(),
     otp: z
         .string()
-        .describe('npm OTP to pass through to `npm publish --otp`. Only needed for registries that still require OTP-based 2FA. Leave unset to use npm\'s default browser-based auth flow.')
+        .describe('npm OTP to pass through to `npm publish --otp`. If not provided you will be prompted for it (press enter at the prompt to try publishing without MFA, e.g. for registries that use browser-based auth).')
         .optional(),
     tag: z
         .string()
@@ -122,6 +122,21 @@ async function getRegistryVersions(pkg) {
     const registryVersionsStdout = StdoutShape.parse(JSON.parse(registryVersionsResult.stdout));
     return Array.isArray(registryVersionsStdout) ? registryVersionsStdout : [];
 }
+async function getRegistryDistTags(pkgName) {
+    const result = await execa('npm', ['view', pkgName, 'dist-tags', '--json'], { reject: false });
+    if (!result.stdout)
+        return {};
+    try {
+        const parsed = JSON.parse(result.stdout);
+        if (parsed && typeof parsed === 'object' && !('error' in parsed)) {
+            return parsed;
+        }
+    }
+    catch {
+        // ignore - fall through to empty
+    }
+    return {};
+}
 const _breakpoint = (why = 'hmm') => ({
     title: `wait a bit because ${why}`,
     task: async (ctx, task) => {
@@ -444,7 +459,18 @@ export const publish = async (input) => {
             rendererOptions: { persistentOutput: true },
             task: async (ctx, task) => {
                 const shouldActuallyPublish = input.publish;
-                const publishTasks = createPublishTasks(ctx, { otp: input.otp, tag: input.tag });
+                let otp = input.otp;
+                if (shouldActuallyPublish) {
+                    otp ||= await task.prompt(ListrEnquirerPromptAdapter).run({
+                        message: 'Enter npm OTP (press enter to try publishing without MFA)',
+                        type: 'Input',
+                        validate: v => v === '' || (typeof v === 'string' && /^\d{6}$/.test(v)),
+                    });
+                    if (otp.length === 0) {
+                        task.output = 'No OTP provided - publish will likely error unless you have disabled MFA.';
+                    }
+                }
+                const publishTasks = createPublishTasks(ctx, { otp, tag: input.tag });
                 if (!shouldActuallyPublish)
                     publishTasks.forEach(t => (t.skip = true));
                 return task.newListr(publishTasks, { rendererOptions: { collapseSubtasks: false } });
@@ -481,7 +507,7 @@ export const PrebuiltInput = z.tuple([
     z.object({
         otp: z
             .string()
-            .describe('npm OTP to pass through to `npm publish --otp`. Only needed for registries that still require OTP-based 2FA. Leave unset to use npm\'s default browser-based auth flow.')
+            .describe('npm OTP to pass through to `npm publish --otp`. If not provided you will be prompted for it (press enter at the prompt to try publishing without MFA, e.g. for registries that use browser-based auth).')
             .optional(),
         tag: z
             .string()
@@ -495,7 +521,29 @@ export async function publishPrebuilt([folder, options]) {
         throw new Error(`Failed to get npm username: ${me.stderr}`);
     console.log(me.stdout, '<<<<<<< npm whoami');
     const ctx = loadContext(folder);
-    const tasks = new Listr(createPublishTasks(ctx, options), { ctx });
+    const tasks = new Listr([
+        {
+            title: 'Get OTP',
+            enabled: () => !options.otp,
+            task: async (_ctx, task) => {
+                options.otp = await task.prompt(ListrEnquirerPromptAdapter).run({
+                    message: 'Enter npm OTP (press enter to try publishing without MFA)',
+                    type: 'Input',
+                    validate: v => v === '' || (typeof v === 'string' && /^\d{6}$/.test(v)),
+                });
+                if (options.otp === '') {
+                    const confirmed = await task.prompt(ListrEnquirerPromptAdapter).run({
+                        message: 'This will fail unless you have disabled MFA, which is not recommended.',
+                        type: 'confirm',
+                    });
+                    if (!confirmed) {
+                        throw new Error('OTP not provided');
+                    }
+                }
+            },
+        },
+        ...createPublishTasks(ctx, options),
+    ], { ctx });
     await tasks.run();
 }
 function createPublishTasks(ctx, options) {
@@ -510,11 +558,30 @@ function createPublishTasks(ctx, options) {
                     const publishArgs = ['--access', 'public'];
                     if (options.otp)
                         publishArgs.push('--otp', options.otp);
-                    if (rhsPackageJson && semver.prerelease(rhsPackageJson.version)) {
+                    let resolvedTag = options.tag;
+                    // default to whichever dist-tag the previous comparable release was published under,
+                    // when both versions are the same prerelease/non-prerelease type. e.g. if 0.0.1-1 was
+                    // published as "latest", a follow-up 0.0.1-2 should also go to "latest" (not "next");
+                    // if 4.0.0 was published as "next", 4.0.1 should also be "next" (not "latest").
+                    if (!resolvedTag && lhsPackageJson?.version && rhsPackageJson?.version) {
+                        const sameType = Boolean(semver.prerelease(lhsPackageJson.version)) ===
+                            Boolean(semver.prerelease(rhsPackageJson.version));
+                        if (sameType) {
+                            const distTags = await getRegistryDistTags(pkg.name);
+                            const matchingTags = Object.entries(distTags)
+                                .filter(([, v]) => v === lhsPackageJson.version)
+                                .map(([t]) => t);
+                            if (matchingTags.length > 0) {
+                                resolvedTag = matchingTags.find(t => t === 'latest') || matchingTags[0];
+                            }
+                        }
+                    }
+                    if (resolvedTag) {
+                        publishArgs.push('--tag', resolvedTag);
+                    }
+                    else if (rhsPackageJson && semver.prerelease(rhsPackageJson.version)) {
                         const first = semver.prerelease(rhsPackageJson.version)?.[0];
-                        let tag = options.tag;
-                        tag ||= typeof first === 'string' ? first : 'next';
-                        publishArgs.push('--tag', tag);
+                        publishArgs.push('--tag', typeof first === 'string' ? first : 'next');
                     }
                     await pipeExeca(subtask, 'pnpm', ['publish', ...publishArgs], {
                         cwd: path.dirname(packageJsonFilepath(pkg, RHS_FOLDER)),
@@ -567,10 +634,18 @@ export const ReleaseNotesInput = z.object({
 });
 async function pullRegistryPackage(subtask, pkg, { version, folder }) {
     // note: `npm pack foobar` will actually pull foobar.1-2-3.tgz from the registry. It's not actually doing a "pack" at all. `pnpm pack` does not do the same thing - it packs the local directory
-    await pipeExeca(subtask, 'npm', ['pack', `${pkg.name}@${version}`], { cwd: folder });
-    const tgzFileName = fs.readdirSync(folder).at(0);
-    if (!tgzFileName) {
-        throw new Error(`No tgz file found in ${folder}, tried to pull ${pkg.name}@${version}`);
+    const packResult = await pipeExeca(subtask, 'npm', ['pack', `${pkg.name}@${version}`], { cwd: folder });
+    const packStdout = typeof packResult.stdout === 'string' ? packResult.stdout : '';
+    const tgzFileName = packStdout
+        .split('\n')
+        .map(line => line.trim())
+        .find(line => line.endsWith('.tgz'));
+    const folderEntries = fs.readdirSync(folder);
+    if (!tgzFileName || !folderEntries.includes(tgzFileName)) {
+        throw new Error([
+            `Expected npm pack ${pkg.name}@${version} to write ${tgzFileName || 'a .tgz file'} in ${folder}.`,
+            `Found: ${folderEntries.length ? folderEntries.join(', ') : '(nothing)'}`,
+        ].join('\n'));
     }
     await pipeExeca(subtask, 'tar', ['-xvzf', tgzFileName], { cwd: folder });
     const filepath = path.join(folder, 'package', 'package.json');
@@ -643,7 +718,7 @@ function getBumpedVersionValidation(lowerBoundVersion, v) {
 function getWorkspaceRoot() {
     return path.dirname(findUpSync('pnpm-workspace.yaml') || findUpSync('pnpm-lock.yaml') || findUpOrThrow('.git', { type: 'directory' }));
 }
-/** "Pessimistic" comparison ref. Tries to use the registry package.json's `git.sha` property, falls back to a matching version tag, and if neither exists prompts the user (with the first commit to the package folder as the default). */
+/** "Pessimistic" comparison ref. Tries to use the registry package.json's `git.sha` property, falls back to a matching version tag, and if neither exists prompts the user to choose between the last publish with a findable sha, the last commit before the previous publish, the first commit to the package folder, or a manually-entered sha. */
 async function getPackageLastPublishRef(pkg, task) {
     const packageJson = loadLHSPackageJson(pkg);
     return first7(await getPackageJsonGitSha(pkg, packageJson, task));
@@ -669,18 +744,74 @@ async function getPackageJsonGitSha(pkg, packageJson, task) {
     const repoUrl = getPackageJsonRepository(loadRHSPackageJson(pkg) || loadLHSPackageJson(pkg) || loadPackageJson(path.join(getWorkspaceRoot(), 'package.json')));
     const olderUrl = repoUrl && oldestShownSha ? `\nOlder commits: ${repoUrl}/commits/${oldestShownSha}` : '';
     const recentList = commitLines.length ? `\nRecent commits in ${pkg.path}:\n${commitLines.join('\n')}${olderUrl}\n` : '';
+    const choices = [];
+    const lastPublishWithSha = await findLastPublishWithFindableSha(pkg, commitLines);
+    if (lastPublishWithSha) {
+        choices.push({
+            message: `${first7(lastPublishWithSha.sha)} - last publish with a findable sha (${lastPublishWithSha.version})`,
+            value: lastPublishWithSha.sha,
+        });
+    }
+    const commitBeforePreviousPublish = await getLastCommitBeforePreviousPublish(pkg, packageJson);
+    if (commitBeforePreviousPublish) {
+        choices.push({
+            message: `${first7(commitBeforePreviousPublish.sha)} - last commit before previous publish (${commitBeforePreviousPublish.version} @ ${commitBeforePreviousPublish.time})`,
+            value: commitBeforePreviousPublish.sha,
+        });
+    }
+    choices.push({ message: `${first7(firstRef)} - first commit in ${pkg.path}`, value: firstRef }, { message: 'Other (enter a sha manually)', value: 'other' });
+    const selected = await task.prompt(ListrEnquirerPromptAdapter).run({
+        type: 'Select',
+        message: `Couldn't find a git sha for the last published version of ${pkg.name}.${recentList}\nSelect the sha to diff from:`,
+        choices,
+    });
+    if (selected !== 'other')
+        return selected;
     const promptAnswer = await task.prompt(ListrEnquirerPromptAdapter).run({
         type: 'Input',
-        message: `Couldn't find a git sha for the last published version of ${pkg.name}.${recentList}\nEnter the sha to diff from (leave empty to use ${firstRef.slice(0, 7)}, the first commit in ${pkg.path}):`,
+        message: `Enter the sha to diff from:`,
         validate: (v) => {
-            if (typeof v !== 'string')
-                return 'Enter a sha, or leave empty to use the first commit.';
-            if (!v.trim())
-                return true;
-            return /^[0-9a-f]{4,40}$/i.test(v.trim()) ? true : 'Enter a valid git sha (4-40 hex chars) or leave empty.';
+            if (typeof v !== 'string' || !/^[0-9a-f]{4,40}$/i.test(v.trim()))
+                return 'Enter a valid git sha (4-40 hex chars).';
+            return true;
         },
     });
-    return promptAnswer.trim() || firstRef;
+    return promptAnswer.trim();
+}
+/**
+ * Walks the registry's published versions newest-first looking for one whose git sha can be determined - via the
+ * registry package.json's `git.sha`, a version tag, or a `version x.y.z` commit message - even if its
+ * prerelease-ness doesn't match the version being compared against. Capped at the 20 newest versions to bound
+ * `npm view` calls.
+ */
+async function findLastPublishWithFindableSha(pkg, recentCommitLines) {
+    const newestFirst = pkg.publishedVersions.slice().reverse().slice(0, 20);
+    for (const version of newestFirst) {
+        const { stdout: registrySha } = await execa('npm', ['view', `${pkg.name}@${version}`, 'git.sha'], { reject: false });
+        if (registrySha.trim())
+            return { version, sha: registrySha.trim() };
+        const tagSha = await getShaFromVersionTag(pkg, version);
+        if (tagSha)
+            return { version, sha: tagSha };
+        const versionCommitMessage = `version ${version}`;
+        const match = recentCommitLines.find(line => line.slice(line.indexOf(' ') + 1) === versionCommitMessage);
+        if (match)
+            return { version, sha: match.split(' ', 1)[0] };
+    }
+    return null;
+}
+/** The last commit in the package folder made before the previous version was published, based on the registry's publish timestamp. */
+async function getLastCommitBeforePreviousPublish(pkg, packageJson) {
+    const previousVersion = packageJson?.version || pkg.publishedVersions.at(-1);
+    if (!previousVersion)
+        return null;
+    const timesResult = await execa('npm', ['view', pkg.name, 'time', '--json'], { reject: false });
+    const times = z.record(z.string(), z.string()).safeParse(JSON.parse(timesResult.stdout || '{}'));
+    const publishTime = times.success ? times.data[previousVersion] : undefined;
+    if (!publishTime)
+        return null;
+    const { stdout: sha } = await execa('git', ['log', '-n', '1', `--before=${publishTime}`, '--pretty=format:%h', '--', '.'], { cwd: pkg.path, reject: false });
+    return sha ? { version: previousVersion, time: publishTime, sha } : null;
 }
 async function getPackageJsonShaFromVersionTag(pkg, packageJson) {
     // throw new Error(
@@ -688,13 +819,16 @@ async function getPackageJsonShaFromVersionTag(pkg, packageJson) {
     // )
     if (!packageJson?.version)
         return null;
-    const { stdout: vTagSha } = await execa('git', ['rev-list', '-n', '1', `v${packageJson.version}`], {
+    return getShaFromVersionTag(pkg, packageJson.version);
+}
+async function getShaFromVersionTag(pkg, version) {
+    const { stdout: vTagSha } = await execa('git', ['rev-list', '-n', '1', `v${version}`], {
         cwd: pkg.path,
         reject: false,
     });
     if (vTagSha)
         return vTagSha;
-    const { stdout: tagSha } = await execa('git', ['rev-list', '-n', '1', packageJson.version], {
+    const { stdout: tagSha } = await execa('git', ['rev-list', '-n', '1', version], {
         cwd: pkg.path,
         reject: false,
     });

package/package.json

@@ -1,7 +1,8 @@
 {
   "name": "mopub",
-  "version": "0.0.3",
+  "version": "0.1.0",
   "description": "Publish packages in a pnpm monorepo",
+  "license": "ISC",
   "type": "module",
   "bin": {
     "mopub": "dist/cli.js"
@@ -9,7 +10,6 @@
   "files": [
     "dist"
   ],
-  "license": "ISC",
   "dependencies": {
     "@listr2/prompt-adapter-enquirer": "^4.2.1",
     "@trpc/server": "^11.16.0",
@@ -31,9 +31,12 @@
     "tsx": "^4.21.0",
     "typescript": "^6.0.3"
   },
+  "git": {
+    "sha": "43d2162"
+  },
   "scripts": {
-    "clean": "rm -rf dist",
     "build": "tsc --noEmit false --outDir dist",
+    "clean": "rm -rf dist",
     "lint": "eslint .",
     "test": "echo maybe later"
   }