Skip to content

fix(ruvector): verify-dist guards package.json entrypoints (#376)#433

Open
ruvnet wants to merge 1 commit intomainfrom
fix/issue-376-verify-package-entrypoints
Open

fix(ruvector): verify-dist guards package.json entrypoints (#376)#433
ruvnet wants to merge 1 commit intomainfrom
fix/issue-376-verify-package-entrypoints

Conversation

@ruvnet
Copy link
Copy Markdown
Owner

@ruvnet ruvnet commented May 7, 2026

Summary

  • Closes npm package fails to import in 0.2.23 because published tarball is missing dist/index.js #376ruvector@0.2.23 was published with main: dist/index.js declared but the file absent from the tarball, so any consumer doing require('ruvector') or await import('ruvector') crashed on a fresh install.
  • The current 0.2.25 tarball already ships dist/index.js (so end users on the latest release are not affected). This PR adds the regression guard that would have stopped the broken 0.2.23 publish in the first place.

Why this PR is still needed

scripts/verify-dist.js was added after #399 but only audits the require('../dist/...') calls inside bin/cli.js. It never looked at package.json#main, so a regression on the package's library entrypoint would slip through again.

Fix

  • Audit package.json#main, types, module, and every bin.* entry against fs.existsSync under the package root.
  • Run a require('<main>') smoke check as a final step. Skippable with VERIFY_DIST_SKIP_SMOKE=1 for emergency publishes.
  • Keep the existing cli.js scan untouched.

Proof

Passing run on the current 0.2.25 working tree:

$ node scripts/verify-dist.js
verify-dist: 13 dist path(s) referenced by bin/cli.js present.
verify-dist: 3 package.json entrypoint(s) present.
verify-dist: require('dist/index.js') smoke OK.

Simulating the original #376 regression (rename dist/index.js away):

$ mv dist/index.js dist/index.js.bak
$ node scripts/verify-dist.js
verify-dist: package would publish broken:
  - 1 dist file(s) referenced by bin/cli.js are missing:
    - dist/index.js
  - 1 package.json entrypoint(s) point at missing files:
    - main → dist/index.js
exit code: 1

End-to-end pack of the current 0.2.25 tarball into a clean /tmp dir:

$ npm pack
ruvector-0.2.25.tgz

$ tar -tzf ruvector-0.2.25.tgz | grep dist/index
package/dist/index.js
package/dist/index.d.ts.map
package/dist/index.d.ts

$ node -e "import('ruvector').then(m => console.log('keys:', Object.keys(m).slice(0,5).join(',')))"
keys: ASTParser,AdamOptimizer,AdaptiveEmbedder,CodeGraph,CodeParser

Test plan

🤖 Generated with claude-flow

@ruvnet
fix(ruvector): verify-dist guards package.json entrypoints (#376)
9ec433b 
`verify-dist.js` was added after #399 to fail the publish when files
required by `bin/cli.js` weren't built. It would NOT have caught #376
because that regression hit `package.json#main` (`dist/index.js`) — a
path the previous guard never inspected. The published 0.2.23 declared
`main: dist/index.js` but shipped without it, so every consumer doing
`require('ruvector')` or `await import('ruvector')` crashed.

Strengthen the guard to also check:
- package.json `main`, `types`, `module`, and every `bin.*` entry
  resolves to a real file under the package root.
- The `main` entry actually loads — `node -e "require(<main>)"` runs as
  a final smoke (skippable via VERIFY_DIST_SKIP_SMOKE=1 for emergencies).

Verified end-to-end against ruvector@0.2.25 on Node 22.22.2:

    $ node scripts/verify-dist.js
    verify-dist: 13 dist path(s) referenced by bin/cli.js present.
    verify-dist: 3 package.json entrypoint(s) present.
    verify-dist: require('dist/index.js') smoke OK.

    $ mv dist/index.js dist/index.js.bak  # simulate the #376 regression
    $ node scripts/verify-dist.js
    verify-dist: package would publish broken:
      - 1 dist file(s) referenced by bin/cli.js are missing:
        - dist/index.js
      - 1 package.json entrypoint(s) point at missing files:
        - main → dist/index.js
    exit code: 1

The current 0.2.25 tarball already includes `dist/index.js`, so end
users on the latest release are not affected; this PR is the regression
guard that would have prevented the publish in the first place.

Closes #376

Co-Authored-By: claude-flow <ruv@ruv.net>
@ruvnet ruvnet mentioned this pull request May 7, 2026
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

npm package fails to import in 0.2.23 because published tarball is missing dist/index.js

1 participant

@ruvnet