feat(npm-publish-workflow): add version checks and conditional publishing#45
Conversation
There was a problem hiding this comment.
Changes requested. Reviewed entire PR up to commit 7e367fe
Reviewed 56 lines of code across 1 files in 58 second(s).
See details
- Skipped files: 0 (please contact us to request support for these files)
- Confidence threshold:
50% - Drafted
1additional comments. - Workflow ID:
wflow_MPZBg1FABee0CvSA
View 1 draft comments
These comments were drafted by Ellipsis, but were filtered out of the final review. They're included here so you can see our internal thought process and help you configure your ellipsis.yaml.
Drafted 1 additional comments
Comment at .github/workflows/npm-publish.yml:42
The variable is_next is defined in the 'Check if version is a prerelease' step but is used in the 'Publish package' step. This might cause an issue as the variable might not be available in the second step. Consider defining the is_next variable in the step where it's used or make it globally available.
Something look wrong? You can customize Ellipsis by editing the ellipsis.yaml for this repository.
Generated with ❤️ by ellipsis.dev
There was a problem hiding this comment.
Looks good to me! Incremental review on commit ccd6931
Reviewed 12 lines of code across 1 files in 1 minute(s) and 5 second(s).
See details
- Skipped files: 0 (please contact us to request support for these files)
- Confidence threshold:
50% - Drafted
1additional comments. - Workflow ID:
wflow_PbdvZmIgkjoew4WA
View 1 draft comments
These comments were drafted by Ellipsis, but were filtered out of the final review. They're included here so you can see our internal thought process and help you configure your ellipsis.yaml.
Drafted 1 additional comments
Comment at .github/workflows/npm-publish.yml:20
The PR description mentions that the actions/checkout and actions/setup-node have been upgraded, but the version numbers in the file are still at v4. Please confirm if this is the intended version.
Something look wrong? You can customize Ellipsis by editing the ellipsis.yaml for this repository.
Generated with ❤️ by ellipsis.dev
There was a problem hiding this comment.
No problems found on commit ac80017
Something look wrong? You can customize Ellipsis by editing the ellipsis.yaml for this repository.
Generated with ❤️ by ellipsis.dev
Both were only ever used by the examples/ directory, which was deleted in #149 (commit 4b7760c, 2025-08-04), leaving them orphaned and unused for ~10 months. The current tree has zero imports of uuid. Removing them drops two packages from the dependency tree (and their future Dependabot alerts) and supersedes the uuid 10->11 bump as the fix for the uuid buffer-bounds alerts (#45/#46). The fast-uri, picomatch, and @tootallnate/once resolutions are unaffected (pulled via jest/ webpack/msw, not uuid). yarn build and the full test suite (363) pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* chore(deps): resolve all Dependabot security alerts (dev deps) Resolve all 6 open Dependabot alerts, all in development scope: - uuid ^10.0.0 -> ^11.1.1 (devDependency) — missing buffer bounds check in v3/v5/v6 (#46, #45) - fast-uri 3.0.6 -> 3.1.2 via resolutions — host confusion and path traversal via percent-encoded sequences (#42, #41) - picomatch 2.3.1 -> 2.3.2 via resolutions — method injection in POSIX character classes (#36) - @tootallnate/once 2.0.0 -> 2.0.1 via resolutions — incorrect control flow scoping (#43) Transitive deps are pinned via the existing `resolutions` block since Yarn 1's `upgrade` doesn't bump transitive-only packages. All changes are dev-scoped; `yarn build` and the full test suite (363 tests) pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * chore(deps): remove unused uuid and @types/uuid devDependencies Both were only ever used by the examples/ directory, which was deleted in #149 (commit 4b7760c, 2025-08-04), leaving them orphaned and unused for ~10 months. The current tree has zero imports of uuid. Removing them drops two packages from the dependency tree (and their future Dependabot alerts) and supersedes the uuid 10->11 bump as the fix for the uuid buffer-bounds alerts (#45/#46). The fast-uri, picomatch, and @tootallnate/once resolutions are unaffected (pulled via jest/ webpack/msw, not uuid). yarn build and the full test suite (363) pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Summary:
This PR enhances the npm publishing workflow by adding version checks and conditional publishing based on the version type.
Key points:
actions/checkoutandactions/setup-nodein/.github/workflows/npm-publish.ymlpackage.jsonversion with tag and check for prereleaseGenerated with ❤️ by ellipsis.dev