You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The currently-tagged `latest` of `@aictrl/cli` on npm (`0.3.3`) carries unresolved `workspace:*` deps in its published manifest. Plain `npm install @aictrl/cli@latest` rejects them as an unsupported protocol, so any consumer using npm (not bun/pnpm/yarn) cannot install it.
This is breaking the `Aictrl Review` GitHub Actions workflow on every PR in this repo — the `Install Aictrl CLI` step fails before the bot ever runs. Same failure also masks downstream consumers (e.g. `aictrl-dev/aictrl`'s own AI Review workflow, which is the parent investigation in aictrl-dev/aictrl#2058).
aictrl-dev/cli PR (`fix/issue-68-skill-discovered-dedupe`) → Aictrl Review run 24893350104, 2026-04-24
All AI Review runs before 0.3.3 published (2026-04-23 and earlier) succeeded.
So the regression is correlated with the 0.3.3 publish event itself, not with a workflow change.
Impact
`Aictrl Review` workflow has been silently broken on every PR in `aictrl-dev/cli` since 0.3.3 published (~4 weeks).
Downstream consumers in npm-based CI (i.e. anyone wrapping `aictrl run` in a workflow that uses `npm install @aictrl/cli@latest`) are also broken — including the parent investigation aictrl-dev/aictrl#2058 where the same bot exists in the aictrl repo.
The release pipeline (likely `bun pm pack` → `npm publish`) didn't substitute `workspace:` protocol versions with concrete semver before publishing. `bun pm pack` historically required `--filename` and didn't rewrite `workspace:` deps; the canonical fix in similar monorepos is to either:
Use `bun publish` (which rewrites workspace deps automatically), or
Run a release tool like `changesets` / `@manypkg/cli` / a custom pre-publish step that resolves workspace deps against the actual versions being shipped, or
Bundle the workspace deps (which is what 0.3.2 did — `deps: none`).
Worth checking what changed in `.github/workflows/publish.yml` between the 0.3.2 publish (working) and the 0.3.3 publish (broken).
Acceptance criteria
Publish pipeline produces tarballs whose `package.json` resolves all `workspace:` deps to concrete semver (or bundles them).
Re-publish or deprecate `@aictrl/cli@0.3.3` and ship a fixed version (e.g. `0.3.4`).
Add a smoke test to CI: after publish, run `npm install @aictrl/cli@` in a scratch dir and assert it succeeds.
(Optional) re-enable AI Review on this repo to validate that the new version actually installs.
Context
The currently-tagged `latest` of `@aictrl/cli` on npm (`0.3.3`) carries unresolved `workspace:*` deps in its published manifest. Plain `npm install @aictrl/cli@latest` rejects them as an unsupported protocol, so any consumer using npm (not bun/pnpm/yarn) cannot install it.
This is breaking the `Aictrl Review` GitHub Actions workflow on every PR in this repo — the `Install Aictrl CLI` step fails before the bot ever runs. Same failure also masks downstream consumers (e.g. `aictrl-dev/aictrl`'s own AI Review workflow, which is the parent investigation in aictrl-dev/aictrl#2058).
Reproduction
```bash
mkdir /tmp/repro && cd /tmp/repro
npm init -y
npm install @aictrl/cli@latest
→
npm error code EUNSUPPORTEDPROTOCOL
npm error Unsupported URL Type "workspace:": workspace:*
```
Verified locally on npm 10.9.x; identical failure mode in CI runner logs.
Evidence
`npm view` of both versions:
CI failures across the repo since 0.3.3 published:
So the regression is correlated with the 0.3.3 publish event itself, not with a workflow change.
Impact
aictrl runexits 0 on auth failure, masking broken CI workflows #70 (the exit-code propagation bug) and would have masked it independently.Likely cause
The release pipeline (likely `bun pm pack` → `npm publish`) didn't substitute `workspace:` protocol versions with concrete semver before publishing. `bun pm pack` historically required `--filename` and didn't rewrite `workspace:` deps; the canonical fix in similar monorepos is to either:
Worth checking what changed in `.github/workflows/publish.yml` between the 0.3.2 publish (working) and the 0.3.3 publish (broken).
Acceptance criteria
Related
aictrl runexits 0 on auth failure, masking broken CI workflows #70 — `aictrl run` exit-code propagation; logically downstream of this because the AI Review workflow can't even reach the run step until `npm install` works.🤖 Generated with Claude Code