ci(release-core): upgrade Node to 24 LTS (real fix for npm OIDC 404)#18
Merged
Merged
Conversation
Node 24 LTS ships with npm 11.5+ natively. npm 11.5+ is the minimum that supports OIDC Trusted Publishing's registry-side handshake — npm 10.9.7 (bundled with Node 22) fails the handshake silently and the registry returns a misleading `404 "is not in this registry"` on PUT, as seen in run 24663169282. The previous corepack-based fix printed "Preparing npm@11.5.1 for immediate activation" but did not actually switch npm — the subsequent `npm --version` still reported 10.9.7. `corepack enable` only shims yarn/pnpm by default; npm is special-cased and `prepare --activate` doesn't swap the PATH. Rather than patch around that, moving to Node 24 makes it moot: npm 11.5+ is the shipped version, no extra step needed. This also sidesteps the unrelated Node 22.22.2 hostedtoolcache bug (missing `promise-retry` in the shipped npm's arborist) that bit us earlier.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
PR #17 replaced `npm install -g npm@latest` with `corepack enable && corepack prepare npm@11.5.1 --activate`. Corepack said it was preparing npm 11.5.1 — but in run 24663169282 the subsequent `npm --version` still reported 10.9.7. `corepack enable` only shims yarn and pnpm by default; npm is special-cased and `prepare --activate` does not swap the PATH. So `npm publish` was still running the 10.9.7 bundled with Node 22, which cannot complete the OIDC Trusted Publishing registry-side handshake. The registry treats the request as anonymous and returns a misleading `404 "is not in this registry"` on PUT.
Documented in this Medium post — the title literally says "The Weird 404 Error and the Node.js 24 Fix".
The fix
Upgrade to Node 24 LTS, which ships with npm 11.5+ natively. Drop the corepack step and the `npm install -g` step entirely — not needed. This also avoids the unrelated Node 22.22.2 hostedtoolcache regression (missing `promise-retry`) that failed the original v0.0.4 publish.
Test plan