SIB-005: npm installer points to missing release tag

[jmrpineda]

Discovery date: 2026-05-28
Reported by: Codex
Severity: high
Environment: published npm package @pinedatec.eu/sphere-integration-hub and GitHub Releases
Scope / affected surface: npm postinstall binary download path for users installing SIH without .NET
Evidence: npm view @pinedatec.eu/sphere-integration-hub version returns 1.7.20, while GitHub Releases contain v1.7.20.278 and v1.7.20.277 but no v1.7.20. postinstall.js builds download URLs as https://github.com/PinedaTec-EU/SphereIntegrationHub/releases/download/v${VERSION}/${archive}, so npm version 1.7.20 points to missing tag v1.7.20.

Summary

The npm package is intended to let users install and run SIH without a local .NET SDK by downloading self-contained binaries from GitHub Releases. The published npm package version uses a three-part semver value, but GitHub Release tags use the repository's four-part version. As a result, the npm postinstall script can point to a release tag that does not exist.

Expected behavior

Installing @pinedatec.eu/sphere-integration-hub from npm should download the correct platform archive from GitHub Releases and install sih and sih-mcp without requiring .NET.

Current behavior

The npm package version is 1.7.20, and postinstall.js constructs URLs under release tag v1.7.20. The available GitHub release for that package line is v1.7.20.278, so the expected download URL is not present under the tag npm computes.

Reproduction steps

1. Run npm view @pinedatec.eu/sphere-integration-hub version.
2. Observe that the latest published npm version is 1.7.20.
3. Inspect npm/sphere-integration-hub/postinstall.js and note that it downloads from releases/download/v${VERSION}.
4. Run gh release list --repo PinedaTec-EU/SphereIntegrationHub --limit 10.
5. Observe that releases use tags such as v1.7.20.278 and v1.7.22.282, not v1.7.20 or v1.7.22.

Environment details

• Repository: PinedaTec-EU/SphereIntegrationHub
• npm package: @pinedatec.eu/sphere-integration-hub
• Published npm latest observed: 1.7.20
• GitHub release assets observed: sih-linux-x64.tar.gz, sih-linux-arm64.tar.gz, sih-darwin-x64.tar.gz, sih-darwin-arm64.tar.gz, sih-win32-x64.zip
• Date observed: 2026-05-28

Notes

• This blocks the main frictionless install path for users who do not have .NET installed.
• Possible fixes include publishing a matching three-part GitHub Release alias, embedding the four-part release tag in npm package metadata, or teaching postinstall.js to resolve the latest four-part release matching the npm three-part version.

[jmrpineda]

Release preparation update: local 1.7.25 artifacts now include npm/sphere-integration-hub/package.json with version: 1.7.25 and sihReleaseVersion: 1.7.25, and the regenerated npm tarball validates that metadata. This should resolve the tag-mismatch path once GitHub Release v1.7.25 is created with the platform archives and the npm package is published. Keeping this issue open until those publication steps are completed and verified from the public npm install path.