fix(provenance): avoid attempting to update provenance when a package is missing publishConfig

travi · travi · commit 3e289feb7ea7 · 2025-03-07T21:37:10.000-06:00
diff --git a/src/project-type/publishable/provenance/lifter.js b/src/project-type/publishable/provenance/lifter.js
@@ -3,7 +3,7 @@ import {mergeIntoExistingPackageJson} from '@form8ion/javascript-core';
 import enhanceSlsa from './slsa.js';
 
 export default async function ({projectRoot, packageDetails}) {
-  const {publishConfig: {access}} = packageDetails;
+  const {publishConfig: {access} = {}} = packageDetails;
 
   if ('public' === access) {
     await mergeIntoExistingPackageJson({projectRoot, config: {publishConfig: {provenance: true}}});
diff --git a/src/project-type/publishable/provenance/lifter.test.js b/src/project-type/publishable/provenance/lifter.test.js
@@ -36,4 +36,12 @@ describe('provenance lifter', () => {
     expect(enhanceSlsa).not.toHaveBeenCalled();
     expect(mergeIntoExistingPackageJson).not.toHaveBeenCalled();
   });
+
+  it('should not configure provenance for a package without `publishConfig`', async () => {
+    const packageDetails = any.simpleObject();
+
+    expect(await lift({packageDetails, projectRoot})).toEqual({});
+    expect(enhanceSlsa).not.toHaveBeenCalled();
+    expect(mergeIntoExistingPackageJson).not.toHaveBeenCalled();
+  });
 });
