Skip to content

fix(ci): lockfile-age-audit — request full packument so time is present#888

Open
motsc wants to merge 1 commit into
mainfrom
fix/lockfile-age-audit-accept-header
Open

fix(ci): lockfile-age-audit — request full packument so time is present#888
motsc wants to merge 1 commit into
mainfrom
fix/lockfile-age-audit-accept-header

Conversation

@motsc

@motsc motsc commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

forwarding the fix from control-plane: Accept: application/vnd.npm.install-v1+json strips time from the response, so data.time?.[version] was always undefined and every new entry failed closed. drop the header, default packument has time.

Fabio (@fneves) caught this on the control-plane side.

…sent

The abbreviated `application/vnd.npm.install-v1+json` response strips the
`time` map, so `data.time?.[version]` was always undefined and every
newly-added entry hit the "missing publish time in registry response"
error path. Net effect was that the gate failed closed on every PR that
added lockfile entries, regardless of actual package age.

Drop the abbreviated Accept header (request the default full packument)
so `time` is present and the age check works as intended.

Verified against `lodash@4.17.21` — was returning undefined, now returns
the real publishedAt of 2021-02-20.
Copilot AI review requested due to automatic review settings June 24, 2026 17:23

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes the CI lockfile age audit script to request an npm registry packument that includes publish timestamps, so new lockfile entries can be age-checked correctly.

Changes:

  • Stop requesting the abbreviated npm packument format that omits the time map.
  • Fetch the full packument so data.time?.[version] can be resolved for publish-date checks.

Comment on lines +194 to +197
// Default (full) packument — the abbreviated `application/vnd.npm.install-v1+json`
// response intentionally strips the `time` map, so we have to ask for the full doc
// to read publish timestamps.
res = await fetch(url, { headers: { Accept: "application/json" } });

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@motsc sounds like it's correct, innit?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants