Pre-Release 14.0.0-rc.1 was published as "latest"

[swernerx]

I think there is an issue happened with the last published package. 14.0.0-rc.1 is clearly a pre-release - even the changelog is saying so, but was published as "latest" which leads some automatic update tools to go to this version. Any chance to get this fixed?

[swernerx]

Check yourself here: https://www.npmjs.com/package/graphql?activeTab=versions

[IvanGoncharov]

@swernerx I tested npm install graphql and yarn add graphql and they both installs 14.0.0-rc.1.
It's pretty bad I think we need to unpublish this package:
https://docs.npmjs.com/cli/unpublish

unpublish is only allowed with versions published in the last 24 hours

@mjmahone Can you please unpublish package?
I think we still have a couple hours.

[IvanGoncharov]

@mjmahone Also looks like 14.0.0-rc.2 from #1374 wasn't published to NPM at all.

[IvanGoncharov]

Here is an article explaining what happened: https://medium.com/@mbostock/prereleases-and-npm-e778fc5e2420

NPM has very strange behavior by default.
As I understand Lee used npm publish --tag rc for previous RC releases that's why latest wasn't changed.

[IvanGoncharov]

NPM reports that package was published:

11 hours ago

So we still have 13 hours to find someone with NPM keys.

[IvanGoncharov]

@mjmahone No need to unpublish anything we can simply change NPM tags:

npm dist-tags add graphql@0.13.2 latest
npm dist-tags add graphql@14.0.0-rc.1 rc

See Whoops, I accidently published without a tag! from here:
http://jbavari.github.io/blog/2015/10/16/using-npm-tags/

[IvanGoncharov]

@mjmahone Can you please set correct tag?
It's a major issue since a lot of developers start to use RC versions unintentional by just doing: yarn add graphql.
Also, every new RC triggers update bots/scripts e.g. danger/peril#309

[IvanGoncharov]

@mjmahone I see you are active in other issues can you please comment on this one?
Is it something you are trying to solve at the moment?
Should I try to contact other collaborators who have NPM keys to this package?
Would be great to resolve this situation before weekends.

After releasing graphql@14.0.0-rc.2 situation didn't change:

[mjmahone]

Shoot sorry I missed this. Trying to update tags now, though I'm not sure whether I have the right permission to do this. Figuring out how things make it to npm has been a bit of a struggle. Thank you @IvanGoncharov for providing much needed resources, and @swernerx for identifying the issue!

[mjmahone]

It seems like the main issue is that I don't have write access to npm. It seems like only TravisCI is allowed to publish to our npm package. I'm not sure how to force the tag to be correct, but I'm trying to figure out who has the ability to update the tag. @leebyron might?

[IvanGoncharov]

@mjmahone Here is complete list:

$ npm owner ls graphql
asiandrummer <asiandrummer@gmail.com>
fb <opensource+npm@fb.com>
kassens <jkassens@fb.com>
leebyron <lee@leebyron.com>
wincent <greg@hurrell.net>

[IvanGoncharov]

@wincent @kassens @asiandrummer Can you please assist in resolving this issue?
It's a critical issue for all graphql-js users and we can't resolve it without write access to graphql-js on NPM.
You only need to execute following two commands:

npm dist-tags add graphql@0.13.2 latest
npm dist-tags add graphql@14.0.0-rc.2 rc

For detail explanation please see Whoops, I accidentally published without a tag! from here:
http://jbavari.github.io/blog/2015/10/16/using-npm-tags

[mjmahone]

Alright I got permission to update the npm registry and it seems like the issue is fixed. I promise to do better on these publishes/releases going forwards. To anyone who accidentally added the rc version: please downgrade if possible.

@IvanGoncharov thank you so much for guiding me through the issue and solution.

[IvanGoncharov]

@mjmahone I think it's critical to make Travis script:

1. PR friendly so it publishes on version change and creates tags
2. Support setting RC tag

I would try to setup Travis in such way on a fork of this repo and do testing with graphql-js-publish-test NPM package so we would be sure that it doesn't break anything.

[IvanGoncharov]

Now everything is working as expected and yarn add graphql adds 0.13.2.

[leebyron]

Sorry for missing this - @mjmahone if you want to release RCs in the future feel free to ping me on messenger if you need any assistance. We should be careful not to break people's expectations of versions over npm