typage icon indicating copy to clipboard operation
typage copied to clipboard
verified publisher icon FiloSottile

NPM publish using CI

Open FiloSottile opened this issue 1 year ago • 2 comments

I also usually do NPM publish using CI: publish-npm.yml

It will build the package and upload it to NPM, using transparency logs. This would require adding NPM_PUBLISH_TOKEN to the repository.

It allows to keep one less token which can be stolen from my machine.

Originally posted by @paulmillr in https://github.com/FiloSottile/typage/issues/21#issuecomment-2243071291

FiloSottile avatar Jul 23 '24 00:07 FiloSottile

I see you're trying to do this in two steps, to limit malware, which can be uploaded by esbuild.

If esbuild version is locked, and all devDependencies are also locked (change from ^1.2.3 to 1.2.3), then the damage they can do is minimized. Their code is basically time-tested and there won't be a situation when a malwared update does something bad -- because you won't be doing regular updates. If you do this, committing lockfile (which contains checksums) to repo makes sense.

Also, NPM has granular tokens, which can be created per-package.

paulmillr avatar Jul 23 '24 00:07 paulmillr

hi i notice the main branch has switched to noble pure js implementation, and the readme has been updated.

but may i ask when (in plan) would the new version be released?

thanks!

fyears avatar Aug 05 '24 17:08 fyears

@FiloSottile I'd love to use your new version, based on noble, in my sops-age module (we just switched it to use the noble ciphers too).

What's blocking this work that we could help with so it gets published to npm?

humphd avatar Jan 04 '25 17:01 humphd

This is fantastic, thanks @FiloSottile! I'm down to 6K (ESM) and 34K (CJS) now ✅

humphd avatar Jan 06 '25 21:01 humphd