Skip to content

[AAASM-3723] 🐛 (ci): Fix CycloneDX SBOM npm-ls tree check in release-node.yml#194

Merged
Chisanan232 merged 1 commit into
masterfrom
v0.0.1/AAASM-3723/fix_npm_tree_check
Jun 25, 2026
Merged

[AAASM-3723] 🐛 (ci): Fix CycloneDX SBOM npm-ls tree check in release-node.yml#194
Chisanan232 merged 1 commit into
masterfrom
v0.0.1/AAASM-3723/fix_npm_tree_check

Conversation

@Chisanan232

@Chisanan232 Chisanan232 commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Description

Fixes the node beta.5 release dry-run failure (run 28152202879). The failing step was Generate CycloneDX SBOM (inside the publish job), not the publish/provenance itself:

npm error missing: safe-publish-latest@^2.0.0, required by math-intrinsics@1.1.0
...
Error: npm-ls exited with errors: 1   (exit 254)

Root cause: the job installs with pnpm install --frozen-lockfile (pnpm's symlinked node_modules, no package-lock.json). @cyclonedx/cyclonedx-npm shells out to npm ls to walk the tree, which flags devDependencies of transitive deps (e.g. safe-publish-latest required by math-intrinsics) as "missing" and exits non-zero — aborting the release before publish.

Fix: pnpm dlx @cyclonedx/cyclonedx-npm --omit dev --ignore-npm-errors … — a production-only tree (the correct scope for a release SBOM) plus tolerance for the residual npm ls noise from pnpm's layout. This is purely the dependency-manifest step; the OIDC trusted-publish + SLSA provenance path is untouched.

Verified: re-ran the dry-run on this branch — the publish job is completed:success (run 28152672806); docs snapshot correctly skipped; nothing published.

Type of Change

  • 🐛 Bug fix (CI)

Related Issues

  • Closes AAASM-3723 · surfaced by the AAASM-3707 (node beta.5) GATE-2 dry-run

🤖 Generated with Claude Code

@Chisanan232 @claude
🐛 (ci): Fix npm tree check in release-node.yml SBOM step
f8d351b 
The CycloneDX SBOM step (AAASM-3619) ran bare cyclonedx-npm, which shells
out to `npm ls` to walk the dependency tree. This repo installs with
`pnpm install --frozen-lockfile`, so node_modules is pnpm's symlinked
layout with no package-lock.json; npm ls flags devDependencies of
transitive deps (safe-publish-latest req by math-intrinsics,
@arethetypeswrong/cli req by dunder-proto) as missing and exits 254,
aborting the release before publish.

Add --omit dev (production-only tree, the right scope for a release SBOM)
and --ignore-npm-errors (tolerate residual pnpm-layout npm-ls noise).
SBOM generation is independent of the OIDC trusted-publish / SLSA
provenance path, which is untouched.

Closes AAASM-3723

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@codecov

codecov Bot commented Jun 25, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@sonarqubecloud

sonarqubecloud Bot commented Jun 25, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Chisanan232

Chisanan232 commented Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

✅ Claude Code review — AAASM-3723 (node SBOM/npm-ls)

CI: all green — napi-build, test (18/20/22/24), module-smoke, quality, audit, CodeQL, SonarCloud, codecov/patch, coverage-and-analysis (17 pass / 0 fail). No acceptance-type failures.

Scope vs ticket: fixes the Generate CycloneDX SBOM step (inside the publish job) that failed the beta.5 dry-run — @cyclonedx/cyclonedx-npm shells out to npm ls, which on pnpm's symlinked node_modules flags devDependencies of transitive deps (safe-publish-latest req by math-intrinsics, etc.) as missing and exits non-zero. Fix = --omit dev --ignore-npm-errors (a production-only tree — correct scope for a release SBOM — tolerant of pnpm-layout npm-ls noise). OIDC trusted-publish + SLSA provenance path untouched, matching the ticket's "don't weaken publish integrity" AC.

Really fixes the release error? Yes — re-ran the beta.5 dry-run on this branch (run 28152672806) and the Publish @agent-assembly/sdk + 4 runtime sub-packages to npm job — the exact job that failed in run 28152202879 — is now success (docs snapshot correctly skipped; nothing published).

Verdict: ✅ Ready to approve & merge.

@Chisanan232 Chisanan232 merged commit 19501c5 into master Jun 25, 2026
19 checks passed
@Chisanan232 Chisanan232 deleted the v0.0.1/AAASM-3723/fix_npm_tree_check branch June 25, 2026 07:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Chisanan232