Frontify · jeremyzahner · Apr 22, 2026 · Apr 24, 2026 · ragi96 · Apr 24, 2026
diff --git a/.changeset/resolve-workspace-protocols.md b/.changeset/resolve-workspace-protocols.md
@@ -0,0 +1,14 @@
+---
+"@frontify/frontify-cli": patch
+---
+
+fix(cli): resolve workspace protocol specifiers during deployment
+
+The deploy command now resolves `catalog:`, `workspace:`, `link:`, `file:`, and other protocol specifiers to their actual installed versions before uploading to the Frontify Marketplace API. Previously, these raw specifiers were sent as-is, causing deployment failures in pnpm workspace setups.
+
+Key changes:
+
+- Dependencies are resolved via `node_modules` lookup during `collectFiles`. Unresolvable protocol specifiers are omitted from the payload with a warning.
+- The `package.json` included in `source_files` is sanitized with resolved versions before upload.
+- The platform app compiler now guards against protocol specifiers being injected into compiled JavaScript output.
+- A warning is emitted when potentially sensitive files (`.env`, `.npmrc`, `.netrc`) are detected in the source upload.
@@ -7,6 +7,7 @@ import open from 'open';
 import pc from 'picocolors';
 
 import { type HttpClientError } from '../errors/HttpClientError';
+import { getInstalledPackageVersion } from '../utils/getPackageVersion';
 import {
     type CompilerOptions,
     Configuration,
@@ -18,6 +19,7 @@ import {
     readFileAsBase64,
     readFileLinesAsArray,
 } from '../utils/index';
+import { isPackageProtocolSpecifier } from '../utils/packageProtocols';
 import { platformAppManifestSchemaV1, verifyManifest } from '../utils/verifyManifest';
 
 type Options = {
@@ -61,6 +63,49 @@ const SOURCE_FILE_BLOCK_LIST = [
     '**/*.graphql',
 ];
 
+const SENSITIVE_FILE_PATTERNS = ['.env', '.npmrc', '.netrc'];
+
+export const resolveDependencyVersions = (
+    dependencies: Record<string, string>,
+    projectPath: string,
+): Record<string, string> => {
+    const resolved: Record<string, string> = {};
+
+    for (const [name, specifier] of Object.entries(dependencies)) {
+        const installedVersion = getInstalledPackageVersion(projectPath, name);
+
+        if (installedVersion && !isPackageProtocolSpecifier(installedVersion)) {
+            resolved[name] = installedVersion;
+            continue;
+        }
+
+        if (isPackageProtocolSpecifier(specifier)) {
+            Logger.warn(
+                `Could not resolve version for "${name}" (specifier: "${specifier}"). ` +
+                    'The package may not be installed. Omitting from deployment dependencies.',
+            );
+            continue;
+        }
+
+        resolved[name] = specifier;
+    }
+
+    return resolved;
+};
+
+export const warnAboutSensitiveFiles = (sourceFiles: Record<string, string>): void => {
+    const sensitiveFiles = Object.keys(sourceFiles).filter((filePath) =>
+        SENSITIVE_FILE_PATTERNS.some((pattern) => filePath.split('/').some((segment) => segment.startsWith(pattern))),
+    );
+
+    if (sensitiveFiles.length > 0) {
+        Logger.warn(
+            `Potentially sensitive files detected in source files:\n${sensitiveFiles.map((f) => `  - ${f}`).join('\n')}\n` +
+                'Consider adding these to your .gitignore to prevent them from being uploaded.',
+        );
+    }
+};
+
 export const resolveCredentials = (token?: string, instance?: string) => {
     const instanceUrl = instance || Configuration.get('instanceUrl');
     const accessToken = token || Configuration.get('tokens.access_token');
@@ -108,17 +153,50 @@ export const collectFiles = async (projectPath: string, distPath: string) => {
         return fastGlob.convertPathToPattern(`${projectPath}/${path}`);
     });
 
-    const packageJsonContent = reactiveJson<{ dependencies?: Record<string, string> }>(
-        join(projectPath, 'package.json'),
+    const packageJsonContent = reactiveJson<{
+        dependencies?: Record<string, string>;
+        devDependencies?: Record<string, string>;
+        peerDependencies?: Record<string, string>;
+    }>(join(projectPath, 'package.json'));
+
+    const resolvedDependencies = resolveDependencyVersions(packageJsonContent?.dependencies || {}, projectPath);
+
+    const sourceFiles = await makeFilesDict(fastGlob.convertPathToPattern(projectPath), sourceFilesToIgnore);
+
+    // Sanitize the package.json in source_files to contain resolved versions
+    // instead of protocol specifiers that are invalid outside the workspace.
+    // Note: packageJsonContent is a reactiveJson Proxy. We only READ from it here
+    // via spread and property access. Do not mutate it directly — the Proxy's set
+    // trap would write changes back to disk.
+    const pkgJsonKey = '/package.json';
+    if (packageJsonContent) {
+        if (!(pkgJsonKey in sourceFiles)) {
+            Logger.error(
+                `Expected "${pkgJsonKey}" in sourceFiles but key was not found. ` +
+                    'This likely indicates a change in makeFilesDict key format.',
+            );
+            process.exit(-1);
+        }
+        const sanitized = {
+            ...packageJsonContent,
+            dependencies: resolvedDependencies,
+            devDependencies: resolveDependencyVersions(packageJsonContent.devDependencies || {}, projectPath),
+            peerDependencies: resolveDependencyVersions(packageJsonContent.peerDependencies || {}, projectPath),
+        };
+        sourceFiles[pkgJsonKey] = Buffer.from(JSON.stringify(sanitized, null, '\t')).toString('base64');
+    }
+
+    warnAboutSensitiveFiles(sourceFiles);
+
+    const buildFiles = await makeFilesDict(
+        fastGlob.convertPathToPattern(`${projectPath}/${distPath}`),
+        buildFilesToIgnore,
     );
 
     return {
-        build_files: await makeFilesDict(
-            fastGlob.convertPathToPattern(`${projectPath}/${distPath}`),
-            buildFilesToIgnore,
-        ),
-        source_files: await makeFilesDict(fastGlob.convertPathToPattern(projectPath), sourceFilesToIgnore),
-        dependencies: packageJsonContent?.dependencies || {},
+        build_files: buildFiles,
+        source_files: sourceFiles,
+        dependencies: resolvedDependencies,
     };
 };
 

@@ -5,11 +5,17 @@ import { build } from 'vite';
 import { viteExternalsPlugin } from 'vite-plugin-externals';
 
 import { getAppBridgeVersion } from '../getPackageVersion';
+import { isPackageProtocolSpecifier } from '../packageProtocols';
 
 import { type CompilerOptions } from './compilerOptions';
 
+const isValidVersion = (version: string | undefined): version is string => {
+    return version !== undefined && !isPackageProtocolSpecifier(version);
+};
+
 export const compilePlatformApp = async ({ outputName, entryFile, projectPath = '' }: CompilerOptions) => {
     const appBridgeVersion = getAppBridgeVersion(projectPath);
+    const safeAppBridgeVersion = isValidVersion(appBridgeVersion) ? appBridgeVersion : undefined;
 
     const settings = await build({
         plugins: [
@@ -45,7 +51,7 @@ export const compilePlatformApp = async ({ outputName, entryFile, projectPath =
                     footer: `
                         window.${outputName} = ${outputName};
                         window.${outputName}.dependencies = window.${outputName}.packages || {};
-                        ${appBridgeVersion ? `window.${outputName}.dependencies['@frontify/app-bridge-app'] = '${appBridgeVersion}';` : ''}
+                        ${safeAppBridgeVersion ? `window.${outputName}.dependencies['@frontify/app-bridge-app'] = '${safeAppBridgeVersion}';` : ''}
                     `,
                 },
             },

@@ -4,7 +4,7 @@ import { readFileSync } from 'node:fs';
 import { findPackageJSON } from 'node:module';
 import { join } from 'node:path';
 
-const getInstalledPackageVersion = (rootPath: string, packageName: string): string | undefined => {
+export const getInstalledPackageVersion = (rootPath: string, packageName: string): string | undefined => {
     try {
         const pkgJsonPath = findPackageJSON(packageName, join(rootPath, 'package.json'));
 

@@ -11,6 +11,7 @@ export * from './logger';
 export * from './logo';
 export * from './npm';
 export * from './promiseExec';
+export * from './packageProtocols';
 export * from './reactiveJson';
 export * from './url';
 export * from './user';

@@ -21,6 +21,10 @@ export class Logger {
         console.error(pc.red(`[${getCurrentTime()}] ${messages.join(' ')}`));
     }
 
+    static warn(...messages: string[]): void {
+        console.warn(pc.yellow(`[${getCurrentTime()}] ${messages.join(' ')}`));
+    }
+
     static spacer(width = 1): string {
         return ' '.repeat(width);
     }

@@ -0,0 +1,13 @@
+/* (c) Copyright Frontify Ltd., all rights reserved. */
+
+/**
+ * Package manager protocol prefixes used in dependency specifiers
+ * (e.g. `workspace:*`, `catalog:react`, `link:../foo`).
+ *
+ * These are not valid semver ranges and must be resolved before deployment.
+ */
+export const PACKAGE_PROTOCOL_PREFIXES = ['catalog:', 'workspace:', 'link:', 'file:', 'portal:'] as const;
+
+export const isPackageProtocolSpecifier = (specifier: string): boolean => {
+    return PACKAGE_PROTOCOL_PREFIXES.some((prefix) => specifier.startsWith(prefix));
+};