098ed35a50
* fix: remove @gsd/* cross-deps that break npm install (#hotfix) Workspace packages declared @gsd/* as dependencies in their own package.json files. npm's bundleDependencies bundles packages into node_modules/ but still tries to resolve sub-dependencies from the registry — causing 404s for the unpublished @gsd/* scope. - Remove @gsd/* from all dependencies (root and workspace packages) - Add validate-pack.sh: tests tarball installability before publish - Wire validate-pack into CI (every PR) and publish pipeline - Bump to v2.10.10 - Update changelog Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: drop bundleDependencies, use postinstall symlinks instead bundleDependencies with workspace packages causes npm to resolve @gsd/* from the registry during install — 404 since they're not published. Replace with a postinstall script that creates node_modules/@gsd/* symlinks pointing to packages/*. - Remove @gsd/* from dependencies and bundleDependencies - Add link-workspace-packages.cjs (CJS, runs before ESM postinstall) - Update validate-pack to verify symlinks after install - Include link script in files array Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: robust validate-pack + fallback workspace linking - Keep @gsd/* in bundleDependencies (for npm pack bundling) - Remove @gsd/* from root dependencies (prevents 404 registry lookups) - Add link-workspace-packages.cjs fallback for when bundled symlinks aren't created - Simplified validate-pack with better error diagnostics Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: remove bundleDependencies — use postinstall symlinks only npm 10.x fetches packument metadata for ALL deps including bundled ones. @gsd/* packages don't exist on npm → 404 → hard install failure. bundleDependencies is fundamentally broken for unpublished workspace packages. Replace with: - packages/ shipped via files array (already was) - link-workspace-packages.cjs creates node_modules/@gsd/* symlinks in postinstall, pointing to packages/* - No @gsd/* in dependencies or bundleDependencies at all Tarball drops from 40M to 3M (no bundled node_modules). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: add .npmignore to prevent .gitignore from excluding dist/ .gitignore contains /dist/ and packages/*/dist/ which are needed in the published tarball. Without .npmignore, npm pack respects .gitignore and excludes them — even though "files" in package.json should override. An empty .npmignore causes npm to ignore .gitignore entirely, letting the "files" field control what's packed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: avoid SIGPIPE in validate-pack on Linux tar | grep -q causes SIGPIPE (exit 141) on Linux when grep closes the pipe early. Write tar listing to a temp file and grep that instead. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
83 lines
2.3 KiB
Bash
Executable file
83 lines
2.3 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# validate-pack.sh — Verify the npm tarball is installable before publishing.
|
|
#
|
|
# Usage: npm run validate-pack (or bash scripts/validate-pack.sh)
|
|
# Exit 0 = safe to publish, Exit 1 = broken package.
|
|
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
|
|
cd "$ROOT"
|
|
|
|
# --- Guard: workspace packages must not have @gsd/* cross-deps ---
|
|
echo "==> Checking workspace packages for @gsd/* cross-deps..."
|
|
CROSS_FAILED=0
|
|
for ws_pkg in native pi-agent-core pi-ai pi-coding-agent pi-tui; do
|
|
RESULT=$(node -e "
|
|
const pkg = require('./packages/${ws_pkg}/package.json');
|
|
const deps = Object.keys(pkg.dependencies || {}).filter(d => d.startsWith('@gsd/'));
|
|
if (deps.length) { console.log(deps.join(', ')); process.exit(1); }
|
|
" 2>&1) || {
|
|
echo " LEAKED in ${ws_pkg}: $RESULT"
|
|
CROSS_FAILED=1
|
|
true
|
|
}
|
|
done
|
|
if [ "$CROSS_FAILED" = "1" ]; then
|
|
echo "ERROR: Workspace packages have @gsd/* cross-dependencies."
|
|
echo " These cause 404s when npm resolves them from the registry."
|
|
exit 1
|
|
fi
|
|
echo " No @gsd/* cross-dependencies."
|
|
|
|
# --- Pack tarball ---
|
|
echo "==> Packing tarball..."
|
|
TARBALL_NAME=$(npm pack --ignore-scripts 2>/dev/null | tail -1)
|
|
TARBALL="$ROOT/$TARBALL_NAME"
|
|
|
|
if [ ! -f "$TARBALL" ]; then
|
|
echo "ERROR: npm pack produced no tarball"
|
|
exit 1
|
|
fi
|
|
|
|
INSTALL_DIR=$(mktemp -d)
|
|
trap 'rm -rf "$INSTALL_DIR" "$TARBALL"' EXIT
|
|
|
|
echo "==> Tarball: $TARBALL_NAME ($(du -h "$TARBALL" | cut -f1) compressed)"
|
|
|
|
# --- Check critical files using tar listing dumped to a file ---
|
|
# (avoids SIGPIPE issues with tar | grep on Linux)
|
|
TAR_LIST=$(mktemp)
|
|
tar tzf "$TARBALL" > "$TAR_LIST" 2>/dev/null
|
|
|
|
MISSING=0
|
|
for required in dist/loader.js packages/pi-coding-agent/dist/index.js scripts/link-workspace-packages.cjs; do
|
|
if ! grep -q "package/${required}" "$TAR_LIST"; then
|
|
echo " MISSING: $required"
|
|
MISSING=1
|
|
fi
|
|
done
|
|
rm -f "$TAR_LIST"
|
|
|
|
if [ "$MISSING" = "1" ]; then
|
|
echo "ERROR: Critical files missing from tarball."
|
|
exit 1
|
|
fi
|
|
echo " Critical files present."
|
|
|
|
# --- Install test ---
|
|
echo "==> Testing install in isolated directory..."
|
|
cd "$INSTALL_DIR"
|
|
npm init -y > /dev/null 2>&1
|
|
|
|
if npm install "$TARBALL" 2>&1; then
|
|
echo "==> Install succeeded."
|
|
else
|
|
echo ""
|
|
echo "ERROR: npm install of tarball failed."
|
|
exit 1
|
|
fi
|
|
|
|
echo ""
|
|
echo "Package is installable. Safe to publish."
|