In version 0.15.0, I’m seeing a regression where organizationId is null on initial load. This does not occur in 0.14.0.
When reviewing the tagged source diff between v0.14.0 and v0.15.0 (v0.14.0...v0.15.0), I couldn’t identify a change that would plausibly introduce this behavior. However, after inspecting the published dist artifact, it appears to include modifications that are not present in the repository sources for the v0.15.0 tag.
This suggests the currently published 0.15.0 package was not built from the commit associated with the v0.15.0 tag. I’m not sure what happened during the release process, but this breaks the expected traceability between tagged commits and published artifacts.
Beyond the functional regression, this also raises a broader concern: if published artifacts are not reproducibly built from the corresponding tagged commits, it becomes difficult to assess whether this discrepancy could represent a supply-chain/security risk going forward.
In version
0.15.0, I’m seeing a regression whereorganizationIdisnullon initial load. This does not occur in0.14.0.When reviewing the tagged source diff between
v0.14.0andv0.15.0(v0.14.0...v0.15.0), I couldn’t identify a change that would plausibly introduce this behavior. However, after inspecting the publisheddistartifact, it appears to include modifications that are not present in the repository sources for thev0.15.0tag.This suggests the currently published
0.15.0package was not built from the commit associated with thev0.15.0tag. I’m not sure what happened during the release process, but this breaks the expected traceability between tagged commits and published artifacts.Beyond the functional regression, this also raises a broader concern: if published artifacts are not reproducibly built from the corresponding tagged commits, it becomes difficult to assess whether this discrepancy could represent a supply-chain/security risk going forward.