Skip to content

[STG-2520] fix(ci): pin release npm to 11.x — npm@12 requires node >= 22#2344

Merged
shrey150 merged 2 commits into
mainfrom
shrey/fix-release-npm-pin
Jul 9, 2026
Merged

[STG-2520] fix(ci): pin release npm to 11.x — npm@12 requires node >= 22#2344
shrey150 merged 2 commits into
mainfrom
shrey/fix-release-npm-pin

Conversation

@shrey150

@shrey150 shrey150 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Why

Every stagehand release since 2026-07-09 18:52 UTC is broken. The Release workflow's "Update npm for Trusted Publishing" step runs npm install -g npm@latest; npm@12.0.0 was published 2026-07-08 21:06 UTC and became latest, and it requires node ^22.22.2 || ^24.15.0 || >=26 — the release job runs node 20, so the step dies with EBADENGINE before versioning even starts.

What

Pin the step to npm@11 (currently 11.18.0): supports node >= 20.17 and Trusted Publishing/OIDC (needs npm >= 11.5.1) — the reason this step exists, since node 20 bundles npm 10.8.2 which predates it. One line + a comment stating the constraint.

The alternative (bump the job to node 22/24 and keep @latest) changes the entire release build environment (SEA binaries, prebuilds) and isn't hotfix material; it can be considered separately.

Validation

Command / flow Observed output Confidence / sufficiency
Failure-log inspection of both failed Release runs EBADENGINE ... npm@12.0.0 ... Required node ^22.22.2 || ^24.15.0 || >=26 / Actual node v20.20.2, exit 1 at the pinned step Proves the failure mechanism exactly at this line
curl registry.npmjs.org/npm → dist-tags + publish times latest = 12.0.0, published 2026-07-08T21:06Z — inside the 07-08 17:50 → 07-09 18:52 breakage window Proves @latest drift is the trigger; nothing repo-side changed
npm 11.x engine range vs job node npm 11.18.0 supports node >= 20.17; job runs 20.20.2 Proves the pin resolves the engine conflict while keeping Trusted Publishing (>= 11.5.1)
Real release exercise Not possible pre-merge — the Release workflow only runs from main. Merging this PR pushes to main, which itself triggers Release with the pending browse changeset — that run is the live verification The one path that cannot be tested from a branch

Linear: STG-2520

🤖 Generated with Claude Code


Summary by cubic

Pin npm in the Release workflow to 11.18.0 to avoid npm@12 requiring Node >=22. Restores releases on Node 20 and keeps Trusted Publishing (Linear: STG-2520).

Written for commit 90a6d71. Summary will update on new commits.

Review in cubic

The 'Update npm for Trusted Publishing' step installed npm@latest, which
resolves to npm@12.0.0 (published 2026-07-08) and refuses to run on the
release job's node 20 (EBADENGINE). Every release since then fails before
versioning. npm 11.x supports node >= 20.17 and Trusted Publishing (>= 11.5.1).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@changeset-bot

changeset-bot Bot commented Jul 9, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 90a6d71

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file

Confidence score: 3/5

  • In .github/workflows/release.yml, the PR’s assumption that npm 11 on Node 20 preserves Trusted Publishing appears incorrect; if merged as-is, release publishing could fail in CI because Trusted Publishing requires a newer Node runtime. Update the workflow and related PR notes to use a Trusted Publishing-compatible Node version (>=22.14.0) before merging.
Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/release.yml">

<violation number="1" location=".github/workflows/release.yml:37">
P2: The added comment and PR claim that pinning to npm@11 preserves Trusted Publishing on Node 20, but the official npm documentation states that Trusted Publishing requires **Node >= 22.14.0** in addition to npm >= 11.5.1. If npm enforces this at runtime, the release workflow may still fail after merge — the Trusted Publishing step would encounter an incompatible environment even with the npm pin. This is worth verifying before merge or adding a fallback path (e.g., `npm publish --registry=https://registry.npmjs.org` without OIDC, or accepting a Node version bump as part of this change so the hotfix actually unblocks releases).</violation>
</file>

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread .github/workflows/release.yml Outdated

- name: Update npm for Trusted Publishing
run: npm install -g npm@latest
# Trusted Publishing (OIDC) needs npm >= 11.5.1; npm 12+ requires

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: The added comment and PR claim that pinning to npm@11 preserves Trusted Publishing on Node 20, but the official npm documentation states that Trusted Publishing requires Node >= 22.14.0 in addition to npm >= 11.5.1. If npm enforces this at runtime, the release workflow may still fail after merge — the Trusted Publishing step would encounter an incompatible environment even with the npm pin. This is worth verifying before merge or adding a fallback path (e.g., npm publish --registry=https://registry.npmjs.org without OIDC, or accepting a Node version bump as part of this change so the hotfix actually unblocks releases).

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/release.yml, line 37:

<comment>The added comment and PR claim that pinning to npm@11 preserves Trusted Publishing on Node 20, but the official npm documentation states that Trusted Publishing requires **Node >= 22.14.0** in addition to npm >= 11.5.1. If npm enforces this at runtime, the release workflow may still fail after merge — the Trusted Publishing step would encounter an incompatible environment even with the npm pin. This is worth verifying before merge or adding a fallback path (e.g., `npm publish --registry=https://registry.npmjs.org` without OIDC, or accepting a Node version bump as part of this change so the hotfix actually unblocks releases).</comment>

<file context>
@@ -34,7 +34,9 @@ jobs:
 
       - name: Update npm for Trusted Publishing
-        run: npm install -g npm@latest
+        # Trusted Publishing (OIDC) needs npm >= 11.5.1; npm 12+ requires
+        # node >= 22 and this job runs node 20, so pin to the 11.x line.
+        run: npm install -g npm@11
</file context>

@shrey150 shrey150 Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair flag — npm's docs do list node >= 22.14 in the Trusted Publishing matrix. Empirically it isn't enforced at publish time: this workflow's last green release (2026-07-08 17:50 UTC) published via TP on node 20.20.2 + npm 11.x. So this pin restores the exact configuration that was working 26h ago. Agreed the durable fix is bumping the job to node 22/24 (then @latest works again) — that changes the whole release build env (SEA binaries/prebuilds), so it's a separate change, not a hotfix. Noted in the PR body.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The parent comment was too broad for this hotfix: Trusted Publishing has already worked on node 20.20.2 with npm 11.x in the last green release. The node 22/24 bump is still a valid separate fix, but it isn’t required for this PR.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@shrey150

shrey150 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

Done in 90a6d71 — exact-pinned npm@11.18.0 (last 11.x, published 2026-06-29), comment updated with the unpin condition (job moves to node >= 22 → back to @latest).

@shrey150 shrey150 merged commit 25a4938 into main Jul 9, 2026
37 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants