fix(release): stop npm pack --dry-run leaking dry-run into backend install#129
Merged
Conversation
…stall
The release (optic-release-automation) runs `npm pack --dry-run` to verify
the package builds. That exports `npm_config_dry_run=true`, which the nested
`npm ci` deep inside the pack lifecycle inherits:
npm pack --dry-run → prepack → npm run backend:build
→ prebackend:build → backend:install → npm ci --prefix backend
So the backend install became a no-op — nothing written to backend/node_modules
("added 637 packages in 321ms" is the tell) — yet npm still ran the package's
own `postinstall` (`patch-package`), which then wasn't on disk:
sh: patch-package: command not found (npm error code 127)
The only `npm_config_*` env delta between the working path (`npm run
backend:build`) and the failing path (`npm pack --dry-run`) is
`npm_config_dry_run=true`; the "command not found" was an empty install, not a
PATH/.bin issue.
Fix: force dry-run off on the nested install with `--no-dry-run` (a CLI flag
overrides the inherited config). Also drop `--ignore-scripts` + the manual
`npm --prefix backend run postinstall`, folding this into the
`strict-allow-scripts=true` allowlist model from #106 — strict mode runs the
backend's own postinstall while denying dependency scripts. backend:install was
the one script #106 missed.
Validated end-to-end: `npm pack --dry-run` now exits 0 — real backend install,
typebox patch applied, rolldown bundle built, tarball produced.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
gmaclennan
added a commit
that referenced
this pull request
Jun 22, 2026
## Optic Release Automation This **draft** PR is opened by Github action [optic-release-automation-action](https://github.com/nearform-actions/optic-release-automation-action). A new **draft** GitHub release [v1.0.0-pre.2](https://github.com/digidem/comapeo-core-react-native/releases/tag/untagged-352a6c41c12fd02dec37) has been created. Release author: @gmaclennan #### If you want to go ahead with the release, please merge this PR. When you merge: - The GitHub release will be published - The npm package with tag pre will be published according to the publishing rules you have configured - No major or minor tags will be updated as configured #### If you close the PR - The new draft release will be deleted and nothing will change <!-- Release notes generated using configuration in .github/release.yml at 7fe80b4 --> ## What's Changed ### 🚀 Features * Integrate @comapeo/core via IPC over Unix sockets by @gmaclennan in #5 * Add iOS support & test infrastructure by @gmaclennan in #6 * iOS Phase 1: unified JS bundle + smoke test (simulator-only) by @gmaclennan in #15 * iOS Phase 2: xcframework Embed & Sign for native addons by @gmaclennan in #16 * Phase 2 Android: jniLibs packaging + unified rollup loader plugin by @gmaclennan in #17 * android: read abiFilters from reactNativeArchitectures (#30) by @gmaclennan in #35 * Add rootkey persistence and lifecycle state management by @gmaclennan in #36 * Sentry integration: Phase 1 + Phase 2a + Phase 2b by @gmaclennan in #54 * feat(backend): polywasm-backed undici on iOS, re-enable maps plugin by @gmaclennan in #62 * feat(sentry): land Phase 3 — backend loader + RPC tracing by @gmaclennan in #63 * feat(sentry): land Phases 6 + 7a — Android exit reasons & iOS MetricKit app-exit telemetry by @gmaclennan in #72 * feat(sentry): migrate to @sentry/react-native v8; exit telemetry as Application Metrics by @gmaclennan in #73 * Map server integration by @gmaclennan in #86 * feat(config): let the consuming app supply the default project config by @gmaclennan in #95 ### 🐛 Bug Fixes * fix(android): drop setUnlockedDeviceRequired from rootkey wrapper key by @gmaclennan in #57 * fix(backend): cache stopping/error frames for late joiners by @gmaclennan in #58 * fix(ios-tests): wait for STOPPING before signalling node exit by @gmaclennan in #59 * fix(android): drain JNI stdio pumps before returning from node::Start by @gmaclennan in #60 * fix(ios-tests): serialise STOPPING/STOPPED observers in testFullLifecycleStateTransitions by @gmaclennan in #71 * fix(sentry): make exit telemetry lossless and stop cross-process clobbering by @gmaclennan in #84 * fix: start fastify listening by @gmaclennan in #93 * fix(ci): ignore-scripts in ios npm installs by @gmaclennan in #96 * fix(ci): replace --ignore-scripts with npm strict-allow-scripts allowlist by @gmaclennan in #106 * fix(release): stop `npm pack --dry-run` leaking dry-run into backend install by @gmaclennan in #129 ### ⚡ Performance * perf(backend): switch bundler from rollup to rolldown by @gmaclennan in #94 ### ⬆️ Dependencies * update some native deps used in backend by @achou11 in #14 * chore(deps): upgrade to Expo SDK 56 (React Native 0.85) by @gmaclennan in #87 ### 🏗️ Maintenance * Android Testing Infrastructure & Bug Fixes by @gmaclennan in #3 * chore: prebuild example/android; harden instrumented tests by @gmaclennan in #10 * chore: adjust repo setup by @achou11 in #12 * chore: minor fixes based on expo-doctor by @achou11 in #13 * chore: add architecture docs & plans by @gmaclennan in #11 * chore: post-Phase-2 cleanup — comments, plan docs, agents.md by @gmaclennan in #33 * refactor: simplify build-backend.ts; rollup writes directly to native asset trees by @gmaclennan in #34 * chore: fix eslint configuration by @achou11 in #41 * android: audit 16 KB page alignment on every shipped .so by @gmaclennan in #43 * chore: move example app into apps directory by @achou11 in #18 * refactor: per-component lifecycle state with derived ComapeoState by @gmaclennan in #47 * android: fold waitForFile into connect retry loop by @gmaclennan in #52 * chore: add e2e testing app by @achou11 in #49 * ci: drop unreliable Android emulator snapshot caching by @gmaclennan in #64 * use npm list instead of custom traversal to get native module versions by @achou11 in #70 * chore(e2e): add e2e tests on browserstack via Maestro by @achou11 in #56 * chore(ci): add release workflow by @gmaclennan in #90 * chore: fix npm script and release build script by @gmaclennan in #91 * chore(pack): don't try to package build files by @gmaclennan in #92 * chore(release): merge prerelease branch. by @gmaclennan in #110 * ci(e2e): retry BrowserStack builds on infra-class flakes by @gmaclennan in #113 ### Other Changes * ci: derive changelog labels from PR titles + add Dependabot by @gmaclennan in #114 ## New Contributors * @achou11 made their first contribution in #12 * @optic-release-automation[bot] made their first contribution in #112 **Full Changelog**: https://github.com/digidem/comapeo-core-react-native/commits/v1.0.0-pre.2 <!-- <release-meta>{"id":342970724,"version":"v1.0.0-pre.2","npmTag":"pre","opticUrl":"https://optic-zf3votdk5a-ew.a.run.app/api/generate/"}</release-meta> -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The prerelease failed at the
npm pack --dry-runstep (run 27951069615):Root cause
nearform-actions/optic-release-automationrunsnpm pack --dry-runto verify the package builds. That exportsnpm_config_dry_run=trueinto the environment, and it's inherited by the nestednpm cideep inside the pack lifecycle:So the backend install became a no-op — nothing written to
backend/node_modules(theadded 637 packages in 321msin the log is the tell; a real install takes ~20s) — yet npm still ran the package's ownpostinstall(patch-package). With nothing on disk,patch-packagewasn't there →command not found.The "command not found" was not a PATH/
.binproblem. Diffing thenpm_config_*environment between the working path (npm run backend:build) and the failing path (npm pack --dry-run), the only delta isnpm_config_dry_run=true.Fix
--no-dry-runis the load-bearing change — a CLI flag overrides the inheritednpm_config_dry_run, so the nested install actually runs.--ignore-scripts+ the manualnpm --prefix backend run postinstallfolds this into thestrict-allow-scripts=trueallowlist model established in fix(ci): replace --ignore-scripts with npm strict-allow-scripts allowlist #106: strict mode runs the backend's ownpostinstall(patch-package) while denying dependency scripts (better-sqlite3,@sentry/cli).backend:installwas the one script fix(ci): replace --ignore-scripts with npm strict-allow-scripts allowlist #106 missed.Validation
Ran the exact failing command end-to-end locally (after
npm run download:nodejs-mobile, which the release build-command provides):🤖 Generated with Claude Code