Skip to content

fix: add repository field to published packages for provenance validation#2158

Merged
ryansolid merged 1 commit into
mainfrom
fix/package-repository-provenance
Jun 12, 2026
Merged

fix: add repository field to published packages for provenance validation#2158
ryansolid merged 1 commit into
mainfrom
fix/package-repository-provenance

Conversation

@ryansolid

@ryansolid ryansolid commented Jun 12, 2026

Copy link
Copy Markdown
Member

Summary

Follow-up to #2157. The release got past authentication (OIDC worked, provenance was signed) but npm rejected both packages with E422:

Error verifying sigstore provenance bundle: Failed to validate repository information:
package.json: "repository.url" is "", expected to match "https://github.com/solidjs/solid-start" from provenance

Trusted publishing generates provenance attestations, and npm validates that the published package.json repository.url matches the repo in the attestation. Neither @solidjs/start nor @solidjs/vite-plugin-nitro-2 had a repository field. This adds it (with directory for the monorepo path).

No changeset on purpose: the pending 2.0.0-alpha.3 / 0.3.0 are versioned but unpublished — merging with no changesets makes the action retry publishing them directly.

Test plan

  • Merge and confirm the Release workflow publishes both packages

Made with Cursor

@ryansolid @cursoragent
fix: add repository field to published packages for provenance valida…
6be2cb6 
…tion

npm trusted publishing generates provenance attestations and requires
package.json "repository.url" to match the source repo. Both packages
were missing the field, failing publish with E422.

Co-authored-by: Cursor <cursoragent@cursor.com>
@changeset-bot

changeset-bot Bot commented Jun 12, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 6be2cb6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@netlify

netlify Bot commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for solid-start-landing-page ready!

Name Link
🔨 Latest commit 6be2cb6
🔍 Latest deploy log https://app.netlify.com/projects/solid-start-landing-page/deploys/6a2b7bd7e2b5230008bfee9d
😎 Deploy Preview https://deploy-preview-2158--solid-start-landing-page.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@pkg-pr-new

pkg-pr-new Bot commented Jun 12, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/solidjs/solid-start/@solidjs/start@2158

npm i https://pkg.pr.new/solidjs/solid-start/@solidjs/vite-plugin-nitro-2@2158

commit: 6be2cb6

@ryansolid ryansolid merged commit 47d5e6a into main Jun 12, 2026
10 checks passed
@ryansolid ryansolid deleted the fix/package-repository-provenance branch June 12, 2026 03:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ryansolid