Merge branch 'master' of github.com:semantic-release/npm into alpha

travi · travi · commit 761d4db6c11f · 2025-10-13T16:23:43.000-05:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -26,7 +26,7 @@
     "lodash-es": "^4.17.21",
     "nerf-dart": "^1.0.0",
     "normalize-url": "^8.0.0",
-    "npm": "^11.5.1",
+    "npm": "^11.6.2",
     "rc": "^1.2.8",
     "read-pkg": "^9.0.0",
     "registry-auth-token": "^5.0.0",
@@ -47,10 +47,11 @@
     "semantic-release": "24.2.9",
     "sinon": "21.0.0",
     "stream-buffers": "3.0.3",
-    "strip-ansi": "7.1.2"
+    "strip-ansi": "7.1.2",
+    "testdouble": "3.20.2"
   },
   "engines": {
-    "node": "^22.14.0 || >= 24.2.0"
+    "node": "^22.14.0 || >= 24.10.0"
   },
   "files": [
     "lib",
diff --git a/test/integration.test.js b/test/integration.test.js
@@ -111,6 +111,26 @@ test("Throws error if NPM token is invalid", async (t) => {
   t.is(error.message, "Invalid npm authentication.");
 });
 
+test("Throws error if NPM token is not provided", async (t) => {
+  const cwd = temporaryDirectory();
+  const env = { DEFAULT_NPM_REGISTRY: npmRegistry.url };
+  const pkg = { name: "published", version: "1.0.0", publishConfig: { registry: npmRegistry.url } };
+  await fs.outputJson(path.resolve(cwd, "package.json"), pkg);
+
+  const {
+    errors: [error],
+  } = await t.throwsAsync(
+    t.context.m.verifyConditions(
+      {},
+      { cwd, env, options: {}, stdout: t.context.stdout, stderr: t.context.stderr, logger: t.context.logger }
+    )
+  );
+
+  t.is(error.name, "SemanticReleaseError");
+  t.is(error.code, "ENONPMTOKEN");
+  t.is(error.message, "No npm token specified.");
+});
+
 test("Skip Token validation if the registry configured is not the default one", async (t) => {
   const cwd = temporaryDirectory();
   const env = { NPM_TOKEN: "wrong_token" };
diff --git a/test/verify-auth.test.js b/test/verify-auth.test.js
@@ -0,0 +1,72 @@
+import test from "ava";
+import * as td from "testdouble";
+
+let execa, verifyAuth, getRegistry, setNpmrcAuth;
+const DEFAULT_NPM_REGISTRY = "https://registry.npmjs.org/";
+const npmrc = "npmrc contents";
+const pkg = {};
+const otherEnvVars = { foo: "bar" };
+const env = { DEFAULT_NPM_REGISTRY, ...otherEnvVars };
+const cwd = "./path/to/current/working/directory";
+const context = { env, cwd };
+
+test.beforeEach(async (t) => {
+  ({ execa } = await td.replaceEsm("execa"));
+  ({ default: getRegistry } = await td.replaceEsm("../lib/get-registry.js"));
+  ({ default: setNpmrcAuth } = await td.replaceEsm("../lib/set-npmrc-auth.js"));
+
+  ({ default: verifyAuth } = await import("../lib/verify-auth.js"));
+});
+
+test.afterEach.always((t) => {
+  td.reset();
+});
+
+test.serial(
+  "that the provided token is verified with `npm whoami` when trusted publishing is not established for the official registry",
+  async (t) => {
+    td.when(getRegistry(pkg, context)).thenReturn(DEFAULT_NPM_REGISTRY);
+    td.when(
+      execa("npm", ["whoami", "--userconfig", npmrc, "--registry", DEFAULT_NPM_REGISTRY], {
+        cwd,
+        env: otherEnvVars,
+        preferLocal: true,
+      })
+    ).thenReturn({
+      stdout: { pipe: () => undefined },
+      stderr: { pipe: () => undefined },
+    });
+
+    await t.notThrowsAsync(verifyAuth(npmrc, pkg, context));
+  }
+);
+
+test.serial(
+  "that the auth context for the official registry is considered invalid when no token is provided and trusted publishing is not established",
+  async (t) => {
+    td.when(getRegistry(pkg, context)).thenReturn(DEFAULT_NPM_REGISTRY);
+    td.when(
+      execa("npm", ["whoami", "--userconfig", npmrc, "--registry", DEFAULT_NPM_REGISTRY], {
+        cwd,
+        env: otherEnvVars,
+        preferLocal: true,
+      })
+    ).thenThrow(new Error());
+
+    const {
+      errors: [error],
+    } = await t.throwsAsync(verifyAuth(npmrc, pkg, context));
+
+    t.is(error.name, "SemanticReleaseError");
+    t.is(error.code, "EINVALIDNPMTOKEN");
+    t.is(error.message, "Invalid npm token.");
+  }
+);
+
+// since alternative registries are not consistent in implementing `npm whoami`,
+// we do not attempt to verify the provided token when publishing to them
+test.serial("that `npm whoami` is not invoked when publishing to a custom registry", async (t) => {
+  td.when(getRegistry(pkg, context)).thenReturn("https://other.registry.org");
+
+  await t.notThrowsAsync(verifyAuth(npmrc, pkg, context));
+});
