[STG-2520] fix(ci): pin release npm to 11.x — npm@12 requires node >= 22#2344
Conversation
The 'Update npm for Trusted Publishing' step installed npm@latest, which resolves to npm@12.0.0 (published 2026-07-08) and refuses to run on the release job's node 20 (EBADENGINE). Every release since then fails before versioning. npm 11.x supports node >= 20.17 and Trusted Publishing (>= 11.5.1). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
There was a problem hiding this comment.
1 issue found across 1 file
Confidence score: 3/5
- In
.github/workflows/release.yml, the PR’s assumption that npm 11 on Node 20 preserves Trusted Publishing appears incorrect; if merged as-is, release publishing could fail in CI because Trusted Publishing requires a newer Node runtime. Update the workflow and related PR notes to use a Trusted Publishing-compatible Node version (>=22.14.0) before merging.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/release.yml">
<violation number="1" location=".github/workflows/release.yml:37">
P2: The added comment and PR claim that pinning to npm@11 preserves Trusted Publishing on Node 20, but the official npm documentation states that Trusted Publishing requires **Node >= 22.14.0** in addition to npm >= 11.5.1. If npm enforces this at runtime, the release workflow may still fail after merge — the Trusted Publishing step would encounter an incompatible environment even with the npm pin. This is worth verifying before merge or adding a fallback path (e.g., `npm publish --registry=https://registry.npmjs.org` without OIDC, or accepting a Node version bump as part of this change so the hotfix actually unblocks releases).</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
|
|
||
| - name: Update npm for Trusted Publishing | ||
| run: npm install -g npm@latest | ||
| # Trusted Publishing (OIDC) needs npm >= 11.5.1; npm 12+ requires |
There was a problem hiding this comment.
P2: The added comment and PR claim that pinning to npm@11 preserves Trusted Publishing on Node 20, but the official npm documentation states that Trusted Publishing requires Node >= 22.14.0 in addition to npm >= 11.5.1. If npm enforces this at runtime, the release workflow may still fail after merge — the Trusted Publishing step would encounter an incompatible environment even with the npm pin. This is worth verifying before merge or adding a fallback path (e.g., npm publish --registry=https://registry.npmjs.org without OIDC, or accepting a Node version bump as part of this change so the hotfix actually unblocks releases).
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/release.yml, line 37:
<comment>The added comment and PR claim that pinning to npm@11 preserves Trusted Publishing on Node 20, but the official npm documentation states that Trusted Publishing requires **Node >= 22.14.0** in addition to npm >= 11.5.1. If npm enforces this at runtime, the release workflow may still fail after merge — the Trusted Publishing step would encounter an incompatible environment even with the npm pin. This is worth verifying before merge or adding a fallback path (e.g., `npm publish --registry=https://registry.npmjs.org` without OIDC, or accepting a Node version bump as part of this change so the hotfix actually unblocks releases).</comment>
<file context>
@@ -34,7 +34,9 @@ jobs:
- name: Update npm for Trusted Publishing
- run: npm install -g npm@latest
+ # Trusted Publishing (OIDC) needs npm >= 11.5.1; npm 12+ requires
+ # node >= 22 and this job runs node 20, so pin to the 11.x line.
+ run: npm install -g npm@11
</file context>
There was a problem hiding this comment.
Fair flag — npm's docs do list node >= 22.14 in the Trusted Publishing matrix. Empirically it isn't enforced at publish time: this workflow's last green release (2026-07-08 17:50 UTC) published via TP on node 20.20.2 + npm 11.x. So this pin restores the exact configuration that was working 26h ago. Agreed the durable fix is bumping the job to node 22/24 (then @latest works again) — that changes the whole release build env (SEA binaries/prebuilds), so it's a separate change, not a hotfix. Noted in the PR body.
There was a problem hiding this comment.
The parent comment was too broad for this hotfix: Trusted Publishing has already worked on node 20.20.2 with npm 11.x in the last green release. The node 22/24 bump is still a valid separate fix, but it isn’t required for this PR.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Done in 90a6d71 — exact-pinned |
Why
Every stagehand release since 2026-07-09 18:52 UTC is broken. The Release workflow's "Update npm for Trusted Publishing" step runs
npm install -g npm@latest; npm@12.0.0 was published 2026-07-08 21:06 UTC and becamelatest, and it requires node^22.22.2 || ^24.15.0 || >=26— the release job runs node 20, so the step dies withEBADENGINEbefore versioning even starts.npm error notsup Required: {"node":"^22.22.2 || ^24.15.0 || >=26.0.0"} / Actual: {"npm":"10.8.2","node":"v20.20.2"})browse skills show([STG-2511] feat: add browse skills show and agent-facing --help header #2335) and the browse-skill guidance fixes ([STG-2513] fix: browse skill BROWSE_SESSION precedence + container guidance #2336), whose changeset is pending on main.What
Pin the step to
npm@11(currently 11.18.0): supports node >= 20.17 and Trusted Publishing/OIDC (needs npm >= 11.5.1) — the reason this step exists, since node 20 bundles npm 10.8.2 which predates it. One line + a comment stating the constraint.The alternative (bump the job to node 22/24 and keep
@latest) changes the entire release build environment (SEA binaries, prebuilds) and isn't hotfix material; it can be considered separately.Validation
EBADENGINE ... npm@12.0.0 ... Required node ^22.22.2 || ^24.15.0 || >=26 / Actual node v20.20.2, exit 1 at the pinned stepcurl registry.npmjs.org/npm→ dist-tags + publish timeslatest = 12.0.0, published 2026-07-08T21:06Z — inside the 07-08 17:50 → 07-09 18:52 breakage window@latestdrift is the trigger; nothing repo-side changedLinear: STG-2520
🤖 Generated with Claude Code
Summary by cubic
Pin
npmin the Release workflow to11.18.0to avoidnpm@12requiring Node >=22. Restores releases on Node 20 and keeps Trusted Publishing (Linear: STG-2520).Written for commit 90a6d71. Summary will update on new commits.