Skip to content

build: remove npx from prepublishOnly script#180

Merged
dsanders11 merged 1 commit intomainfrom
sam/remove-npx-prepublish
Mar 31, 2026
Merged

build: remove npx from prepublishOnly script#180
dsanders11 merged 1 commit intomainfrom
sam/remove-npx-prepublish

Conversation

@MarshallOfSound
Copy link
Copy Markdown
Member

@MarshallOfSound MarshallOfSound commented Mar 31, 2026

The npx prefix in prepublishOnly is unnecessary and creates a supply-chain risk during publish.

Why this is safe to remove:

  • packageManager: yarn@4.10.3 is set — corepack provides yarn
  • release.yml runs yarn install --immutable before publishing, so yarn is guaranteed present
  • build just calls tsc, which is a devDependency

Why npx yarn is bad here:

  • yarn is not a dep, so npx falls through to fetching yarn@latest from the registry
  • This happens during npm publish — worst possible place for an uncontrolled registry fetch

@MarshallOfSound
build: remove npx from prepublishOnly script
b537430 
The npx prefix is unnecessary — yarn is available via corepack
(packageManager field is set) and the release workflow runs
yarn install before publishing. Using npx here causes a registry
fetch of yarn@latest during npm publish, which is a supply-chain
risk in the publish path.
@MarshallOfSound MarshallOfSound requested a review from a team as a code owner March 31, 2026 05:06
@dsanders11 dsanders11 merged commit f599bb1 into main Mar 31, 2026
7 checks passed
@dsanders11 dsanders11 deleted the sam/remove-npx-prepublish branch March 31, 2026 16:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dsanders11 dsanders11 dsanders11 approved these changes

@erickzhao erickzhao erickzhao approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MarshallOfSound @dsanders11 @erickzhao