From f3e2a49614d2ea268dfbdf3475c3fbe25c66bac8 Mon Sep 17 00:00:00 2001 From: Freeman Date: Fri, 1 May 2026 10:51:09 +0100 Subject: [PATCH 1/2] ci: use corepack to activate npm 11 instead of npm self-upgrade MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The bundled npm 10.x on the Node 22 runner is broken — any `npm install -g npm@*` hits MODULE_NOT_FOUND for promise-retry. Corepack is a Node built-in that downloads package managers from scratch, bypassing the corrupt bundled installation entirely. Pin to npm@11.5.1 (first version with OIDC trusted publishing support) for deterministic behavior. --- .github/workflows/release.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9699d34..a6d562e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -34,15 +34,19 @@ jobs: node-version: '22' cache: npm - - name: Upgrade npm (required for OIDC trusted publishing) + - name: Activate npm 11 via corepack (required for OIDC trusted publishing) # OIDC trusted publishing requires npm >= 11.5.1. Node 22 ships with # npm 10.x, which falls back to traditional auth and fails with - # ENEEDAUTH. We pin to npm@11 (major range) rather than @latest to - # avoid a MODULE_NOT_FOUND bug in the bundled npm's self-upgrade - # path when targeting @latest. If this ever breaks, a corepack-based - # fallback (`corepack prepare npm@latest --activate`) is the next - # option to try. - run: npm install -g npm@11 + # ENEEDAUTH. The bundled npm 10.x on the runner is corrupted — any + # `npm install -g npm@*` hits MODULE_NOT_FOUND for promise-retry. + # corepack is a Node built-in (since 16.9) that downloads package + # managers from scratch, bypassing the corrupt bundled npm entirely. + # Pinned to 11.5.1 (first version with OIDC trusted publishing + # support) for deterministic behavior. + run: | + corepack enable + corepack prepare npm@11.5.1 --activate + npm --version # ── Test gate ───────────────────────────────────────────────────── # Install, build, and test BEFORE any mutating action (version bump, From ea3679d14f2861e43d46ca523b21a0a4f6dda2fb Mon Sep 17 00:00:00 2001 From: Freeman Date: Fri, 1 May 2026 10:51:22 +0100 Subject: [PATCH 2/2] docs: add PR write-up for Activate npm 11 via corepack to unblock release publish --- .../2026-05-01-fix-release-corepack.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 documentation/PULL_REQUESTS/2026-05-01-fix-release-corepack.md diff --git a/documentation/PULL_REQUESTS/2026-05-01-fix-release-corepack.md b/documentation/PULL_REQUESTS/2026-05-01-fix-release-corepack.md new file mode 100644 index 0000000..798bdec --- /dev/null +++ b/documentation/PULL_REQUESTS/2026-05-01-fix-release-corepack.md @@ -0,0 +1,20 @@ +## Problem + +Our release pipeline is currently unable to publish new versions to npm. The step that upgrades the installed `npm` to a version new enough to use our secure authentication method fails with an internal error — not because the target version is wrong, but because the copy of `npm` preinstalled on our build server has corrupted dependencies and cannot install anything, including itself. + +This has left `v1.1.0` tagged and released on GitHub but not actually published to npm. + +## Solution + +Switch to a different mechanism for installing the newer `npm`. Instead of asking the broken `npm` to upgrade itself, use the package-manager manager that ships with Node (built in since 2021) to download the version we need directly from the registry. + +This bypasses the corrupt installation entirely and is the approach recommended by the Node team for this exact situation. + +## Impact + +Once this merges, the release workflow can be re-run in "skip bump" mode to finish publishing the stalled `v1.1.0` to npm. + +# Credits + +- Nabs (Architect) +- JENA (Lead Developer)