Skip to content

fix(publish): add repository field required by npm provenance verification#75

Merged
bnimit merged 1 commit into
mainfrom
fix/publish-package-repository-field
May 14, 2026
Merged

fix(publish): add repository field required by npm provenance verification#75
bnimit merged 1 commit into
mainfrom
fix/publish-package-repository-field

Conversation

@bnimit
Copy link
Copy Markdown
Contributor

@bnimit bnimit commented May 14, 2026
edited
Loading

Summary

Hot-fix for the v1.8.2 release. The first publish attempt failed at npm's provenance verification step:

npm error 422 Unprocessable Entity - PUT https://registry.npmjs.org/quickjs-emscripten-sync
- Error verifying sigstore provenance bundle: Failed to validate repository
information: package.json: "repository.url" is "", expected to match
"https://github.com/reearth/quickjs-emscripten-sync" from provenance

Cause

npm Trusted Publishing cross-checks the package's `repository` field in `package.json` against the GitHub repo URL embedded in the OIDC-signed provenance attestation, and refuses the publish if they disagree. `package.json` here had no `repository` field at all, so the check failed.

Fix

Add the standard `repository` / `homepage` / `bugs` trio pointing at `reearth/quickjs-emscripten-sync`. These also improve the package page on npmjs.com — users get a working "Repository" link rather than nothing.

Confirmed no side effects

  • `npm view quickjs-emscripten-sync@1.8.2` returns 404. The failed publish never uploaded a tarball.
  • The `v1.8.2` git tag will be deleted and re-created at this PR's merge commit after it lands. The publish workflow then re-runs from scratch with the fixed `package.json` and `package.json.version` still at `1.8.2` so the tag-version verify still passes.
  • `actionlint` clean; `npm run lint` / `npm test --run` (137/137) / `npm run build` all pass.

🤖 Generated with Claude Code

@bnimit @claude
fix(publish): add repository field required by npm provenance verific…
f97107f 
…ation

The first attempt at the v1.8.2 release failed with:

  npm error 422 Unprocessable Entity ... Error verifying sigstore
  provenance bundle: Failed to validate repository information:
  package.json: "repository.url" is "", expected to match
  "https://github.com/reearth/quickjs-emscripten-sync" from provenance.

npm Trusted Publishing cross-checks the package.json `repository` field
against the GitHub repo URL embedded in the OIDC-signed provenance
attestation, and refuses the publish if they don't match. package.json
had no `repository` field at all, so npm's check failed.

Add the standard repository/homepage/bugs trio so the published tarball
points back at the source repo correctly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@bnimit bnimit requested a review from rot1024 as a code owner May 14, 2026 07:23
@bnimit bnimit merged commit 324e4b2 into main May 14, 2026
3 checks passed
@bnimit bnimit deleted the fix/publish-package-repository-field branch May 14, 2026 07:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rot1024 rot1024 Awaiting requested review from rot1024 rot1024 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bnimit