feat: add npm upgrade step in publish workflow #217
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔴 The new "Check and upgrade npm" step uses
npm install -g npm@latest, which is unpinned — every workflow run may install a different npm version, making builds non-deterministic. More critically, in a publish workflow with registry credentials, a compromised or broken version briefly tagged@lateston the npm registry would be automatically adopted; pin to a specific version likenpm@10.9.2instead.Extended reasoning...
What the bug is and how it manifests
The newly added step runs
npm install -g npm@latestwithout pinning to a specific version. The@latestdist-tag on the npm registry is a floating pointer that changes whenever a new npm release is published. This means the version of npm installed in the workflow is determined at runtime by whatever is currently tagged@latest, not by anything recorded in source control.The specific code path that triggers it
Line 57 of
.github/workflows/publish.yaml(the new step named "Check and upgrade npm") runs:This executes on every trigger of the
publishjob — both on push tomain(the release path) and on canary/RCissue_commenttriggers.Why existing code doesn't prevent it
There is no version lock or checksum verification anywhere in the workflow for this global npm install. GitHub Actions runners do cache some tooling, but a fresh
npm install -gbypasses any such caching and fetches directly from the registry. Nothing in the repository enforces which npm version is installed.What the impact would be
Two distinct risks apply:
pnpm release(backed by changeset-actions). Downstream consumers of these packages trust that the publishing toolchain was not tampered with. If a malicious or broken npm release is briefly tagged@lateston the registry — a known attack category — the workflow would install it and use it for the publish operation before anyone can react.How to fix it
Replace the floating tag with a pinned version:
The pinned version should be deliberately updated in a PR when an upgrade is intentional, making the change explicit and reviewable.
Step-by-step proof
npm@latestresolves to10.9.2. Packages are published successfully.npm@11.0.0tomorrow and tags it@latest.npm install -g npm@latestnow installs11.0.0.npm@11.0.0has a breaking change in its publish behavior (or, in the attack scenario, is a compromised build).pnpm release(or changeset-actions) calls npm under the hood; packages are published with the new/compromised npm binary without any human review of the npm upgrade.