npm pack should prepare manifests the same as publish

[lukekarrys]

currently the pack command does not use anything except pacote to prepare the manifest before creating a tarball. this behavior being different than publish can lead to subtle bugs such as the one caught during v9.7.0 release (TODO LINK).

in this case our smoke test was packing and installing a tarball with the assumption that the only difference was the scripts being run and the registry being hit. but since the bins ended up being different the bug wasn't caught.

i know we want to make less things in the manifest altered during publish, but i think an initial push towards parity between both commands will make future changes easier to implement across both commands.

breaking change?

i think that applying the same behavior to a tarball during pack as during publish should be considered a bugfix. my guess is that creating a tarball during publish is much more popular than packing and publishing separately.

[ljharb]

It is a massive bug for npm publish to be literally anything but npm pack + upload the tarball, so I totally agree that should be a bugfix.

What is the exact difference right now, and since when was that the case?

[lukekarrys]

My initial assessment above was correct in that pack and prepare do different things to prepare a package.json before creating the tarball. But I was incorrect in thinking this had any effect on the bug I encountered in the CLI.

The fundamental issue is that the CLI does some altering of the packument before it is published, and has done this since forever.

When you run npm publish the CLI will get the package.json and alter it to create a packument, pack the tarball, and then upload both the tarball and packument to the registry. When you run npm pack, the CLI will only create the tarball (which is identical to the tarball created by npm publish with the same inputs).

The difference is when you go to npm install the artifacts of those pack/publish commands. When you run npm install $TARBALL, there is no concept of a packument other than the package.json inside the tarball. But npm install $SPEC will get that altered packument from the registry and use that as the source of truth above the tarball's package.json.

Stopping the practice of altering packuments during publish will be a breaking change that we're looking to make as part of npm@10 (#487). Further work around that will be tracked in that issue, so I'm going to close this one.