How SuperJS packages are versioned, published, and patched. The release workflow
is .github/workflows/release-npm.yml (tag-triggered).
Official packages publish under the @superjsorg scope (plus the unscoped
superjs CLI). Every package publishes with npm provenance (--provenance),
so each release is attested to its source commit + workflow.
| Package | Notes |
|---|---|
superjs (CLI) |
Bundled, pure JS, no native binary, no postinstall network calls. |
@superjsorg/compiler |
The compiler API surface. |
@superjs/lsp, @superjs/std-*, @superjs/types-*, build plugins |
Published as they stabilise. |
Publish rights (R1): at least two npm accounts hold publish + provenance rights — the primary maintainer and a co-publisher — so a release is never blocked on one person. Rotation: a new co-publisher is added before the previous one is removed; rights are reviewed each minor release.
- Changesets-driven; every package keeps a
CHANGELOG.md. - Semver. The compiler and stdlib are coupled by a compiler-compat range
(
peerDependencies); a compiler major may force a stdlib major. - Tag
vX.Y.Ztriggersrelease-npm.yml, which builds and publishes the affected packages with--provenance.
A patch may ship only when:
- all smoke tests pass on Ubuntu / macOS / Windows;
- no new lint warnings;
- performance within +5 % of the prior release on the benchmark suite;
superjs verifyis byte-clean on the determinism fixtures.
- Triage SLA: 24 hours from a credible report (see
SECURITY.md). - Critical: patch + advisory within 7 days; backported to the latest minor. Coordinate disclosure; rotate any leaked credential immediately.
- Advisories are filed as GitHub Security Advisories and noted in the changelog.
nx run-many -t testgreen;nx run-many -t buildgreen.- CHANGELOG entries written (Changesets).
NPM_TOKENsecret present in CI (provenance requires the trusted workflow).- Tag
vX.Y.Z; confirm the workflow published and provenance shows on npm. - Cut the GitHub Release with the changelog.
v1.0 ships after at least one RC (1.0.0-rc.1). Maintainer-only — do not tag RC
without explicit approval and npm token rotation (see release checklist).
| Phase | Tag | Duration | Allowed changes |
|---|---|---|---|
| RC.1 | v1.0.0-rc.1 |
≥ 2 weeks | Blocker fixes only |
| RC.2 | v1.0.0-rc.2 |
≥ 2 weeks | Blocker fixes only |
| RC.3 | v1.0.0-rc.3 (if needed) |
≥ 2 weeks | Blocker fixes only |
| GA | v1.0.0 |
— | Changelog + launch artefacts |
RC checklist:
- Beta teams on
rc.N(seedocs/beta/index.md). - Bug bash complete — no open
severity=blocker(seedocs/beta/bug-bash.md). - External security review (S7) — critical/high fixed (
docs/security-review.mdwhen available). pnpm audit --audit-level=highclean; CodeQL green onmain.- Smoke on 3 OSes + Node 20/22/24:
superjs build,superjs check, LSP hover fixture. - Playground Worker deployed + smoke (
docs/ops/playground-deploy.md) if using CF path. - Automated preflight:
node scripts/rc-preflight.mjs(see--skip-slowfor quick pass).
Publishing RC: same release-npm.yml flow with v1.0.0-rc.N tag; npm dist-tag next recommended until GA.