Summary
@ruvector/ruvllm@2.4.0 through 2.5.4 (current latest on npm) declare
optionalDependencies for all five native binary packages pinned to
2.3.0 — but no native package was ever published at 2.3.0. The
highest published version of every platform binary is 2.0.1.
Net effect: the JS wrapper installs cleanly but the native loader has
nothing to load on any platform, because npm silently skips
optional deps it can't resolve. ruvllm@2.4.0+ is effectively broken-by-design
as published.
This package is pulled in transitively by @claude-flow/cli via
@claude-flow/memory@3.0.0-alpha.14 → agentdb@3.0.0-alpha.11 → @ruvector/ruvllm@2.5.4,
so any user installing claude-flow gets the broken wrapper.
Reproduce
$ npm view @ruvector/ruvllm@2.5.4 optionalDependencies
{
'@ruvector/ruvllm-linux-x64-gnu': '2.3.0',
'@ruvector/ruvllm-linux-arm64-gnu': '2.3.0',
'@ruvector/ruvllm-darwin-x64': '2.3.0',
'@ruvector/ruvllm-darwin-arm64': '2.3.0',
'@ruvector/ruvllm-win32-x64-msvc': '2.3.0'
}
$ npm view @ruvector/ruvllm-darwin-arm64 versions
[ '0.2.0', '0.2.3', '2.0.0', '2.0.1' ]
$ npm view @ruvector/ruvllm-darwin-arm64@2.3.0
npm error 404 '@ruvector/ruvllm-darwin-arm64@2.3.0' is not in this registry.All five native packages have the identical published version set
[0.2.0, 0.2.3, 2.0.0, 2.0.1].
Why it happened
.github/workflows/ruvllm-native.yml builds and publishes the platform
binaries on a ruvllm-v* tag, then publishes the main JS package in the
same job. Versions 2.4.0, 2.5.0–2.5.4 of the JS package were
published outside that flow (see
e9295556e,
3d7f31ce7,
e7e545e22) without rebuilding/republishing the
native binaries. Each release bumped the wrapper version and the
optionalDependencies pin to 2.3.0, but the native binaries never
caught up — they remain at 2.0.1 on npm.
Fix
Two-part:
- Source fix (this PR-equivalent edit): point
npm/packages/ruvllm/package.json optionalDependencies at the
latest actually-published native version 2.0.1, so the next
release of the wrapper resolves its native loader.
- Republish: ship a new wrapper version (e.g.
2.5.5) with the
corrected pin. Either:
- keep pinning to the existing native
2.0.1 (cheapest, ships today), or
- run the
RuvLLM Native Build workflow with a fresh tag
(ruvllm-v2.5.5) to rebuild + republish the native binaries at the
same version as the wrapper. ADR-recommend the latter so the
version space stays one-to-one going forward.
Process gap to close
The prepublishOnly script for @ruvector/ruvllm should
verify each optionalDependencies version exists on npm before letting
the publish proceed. A 6-line npm view ... version check would have
caught every one of the broken 2.4.x/2.5.x releases at publish time.
Affected versions
@ruvector/ruvllm → 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4
(all currently resolvable, all silently broken on every platform).
Summary
@ruvector/ruvllm@2.4.0through2.5.4(currentlateston npm) declareoptionalDependenciesfor all five native binary packages pinned to2.3.0— but no native package was ever published at2.3.0. Thehighest published version of every platform binary is
2.0.1.Net effect: the JS wrapper installs cleanly but the native loader has
nothing to load on any platform, because npm silently skips
optional deps it can't resolve.
ruvllm@2.4.0+is effectively broken-by-designas published.
This package is pulled in transitively by
@claude-flow/clivia@claude-flow/memory@3.0.0-alpha.14 → agentdb@3.0.0-alpha.11 → @ruvector/ruvllm@2.5.4,so any user installing
claude-flowgets the broken wrapper.Reproduce
$ npm view @ruvector/ruvllm@2.5.4 optionalDependencies { '@ruvector/ruvllm-linux-x64-gnu': '2.3.0', '@ruvector/ruvllm-linux-arm64-gnu': '2.3.0', '@ruvector/ruvllm-darwin-x64': '2.3.0', '@ruvector/ruvllm-darwin-arm64': '2.3.0', '@ruvector/ruvllm-win32-x64-msvc': '2.3.0' } $ npm view @ruvector/ruvllm-darwin-arm64 versions [ '0.2.0', '0.2.3', '2.0.0', '2.0.1' ] $ npm view @ruvector/ruvllm-darwin-arm64@2.3.0 npm error 404 '@ruvector/ruvllm-darwin-arm64@2.3.0' is not in this registry.All five native packages have the identical published version set
[0.2.0, 0.2.3, 2.0.0, 2.0.1].Why it happened
.github/workflows/ruvllm-native.ymlbuilds and publishes the platformbinaries on a
ruvllm-v*tag, then publishes the main JS package in thesame job. Versions
2.4.0,2.5.0–2.5.4of the JS package werepublished outside that flow (see
e9295556e,3d7f31ce7,e7e545e22) without rebuilding/republishing thenative binaries. Each release bumped the wrapper version and the
optionalDependenciespin to2.3.0, but the native binaries nevercaught up — they remain at
2.0.1on npm.Fix
Two-part:
npm/packages/ruvllm/package.jsonoptionalDependenciesat thelatest actually-published native version
2.0.1, so the nextrelease of the wrapper resolves its native loader.
2.5.5) with thecorrected pin. Either:
2.0.1(cheapest, ships today), orRuvLLM Native Buildworkflow with a fresh tag(
ruvllm-v2.5.5) to rebuild + republish the native binaries at thesame version as the wrapper. ADR-recommend the latter so the
version space stays one-to-one going forward.
Process gap to close
The
prepublishOnlyscript for@ruvector/ruvllmshouldverify each
optionalDependenciesversion exists on npm before lettingthe publish proceed. A 6-line
npm view ... versioncheck would havecaught every one of the broken
2.4.x/2.5.xreleases at publish time.Affected versions
@ruvector/ruvllm→2.4.0,2.4.1,2.5.0,2.5.1,2.5.2,2.5.3,2.5.4(all currently resolvable, all silently broken on every platform).