feat(learn): add article for publishing a typescript package #7279

JakobJingleheimer · 2024-11-23T14:40:44Z

This is not ready for feedback

Description

Document the recommended way to publish a typescript package

Validation

Related Issues

nodejs/typescript#19

Depends on #7229

Check List

I have read the Contributing Guidelines and made commit messages that follow the guideline.
I have run npm run format to ensure the code follows the style guide.
I have run npm run test to check if all tests are passing.
I have run npx turbo build to check if the website builds without errors.
I've covered new added functionality with unit tests if necessary.

vercel · 2024-11-23T14:40:48Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
nodejs-org	✅ Ready (Inspect)	Visit Preview	Dec 30, 2024 0:04am

AugustinMauroy · 2024-12-29T15:51:20Z

Jacob you should:

remove lint thing
explain tsc cli (may be redirect to the previous page)
link to --run https://nodejs.org/en/learn/command-line/run-nodejs-scripts-from-the-command-line#run-a-task-with-nodejs
remove comment on GA example # glob is not backported below 22.x that from nodejs-loaders 😁
Also on GA example you put node --run test, but on package.json example it's missing
If you keep test thing maybe add link to the test runner part.

ljharb · 2024-12-29T16:38:14Z

apps/site/pages/en/learn/typescript/publishing.md

+      fail-fast: false # prevent a failure in one version cancelling other runs
+
+    steps:
+      - uses: actions/checkout@v4


these version refs will likely get outdated pretty fast; what’s the plan for keeping them updated?

ljharb · 2024-12-29T16:39:12Z

apps/site/pages/en/learn/typescript/publishing.md

+    "lint": "…",
+    "types:check": "tsc --noEmit"
+  },
+  "optionalDependencies": {


this is incorrect; optional deps are runtime deps, and will always be installed - it just won’t fail the overarching install if it fails to compile. This will definitely install typescript locally, and for all consumers. There is no way to have optional dev deps, and “optional” wouldn’t be the same as it means for peerDependenciesMeta.

It's possible via --omit, I just haven't got to that yet :)

For an application, sure, but then doesn't that force consumers to use it?

No, why? As you say, it won't do anything magical on its own.

Anything in optionalDependencies will automatically be installed for consumers precisely the same as if it's in dependencies.

Yes…? Exactly?

and why would typescript be a runtime dependency? it should only ever be a peerDependency of a package, at most, and a package that isn't directly about typescript shouldn't be requiring consumers to install typescript at all.

@JakobJingleheimer Can we change it to devDependencies instead?

apps/site/pages/en/learn/typescript/publishing.md

ljharb · 2024-12-29T16:40:23Z

apps/site/pages/en/learn/typescript/publishing.md

+      - name: Publish with provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --access public --provenance


this publishes with one factor, which is much less secure than publishing with 2fa; i strongly suggest node not in any way encourage doing this.

Is there any way to set up automated version publishing with 2FA? That would be ideal - automated and secure.

No, not without an external server - until GitHub adds a native way for a workflow to pause and wait for user input to continue.

Oula, I don't agree with you 100%. First of all you can ask for the 2FA for the provenance depending on the NPM token used. Also I think Node.js should recommend packages with provenance for security reasons.

I'm not sure what you mean - the only way to do two-factor is with two factors. Using an npm token is only ever a single factor.

As for provenance, I'm happy to discuss that separately, but whether it has value on its own or not is irrelevant - having 2FA is universally recognized as table stakes for security, which is why github and npm are making it required for everyone. They're not even planning to ever require provenance information, which should tell you about the relative security value of each.

@ljharb could you point me to some docs on the alternative? From googling, I just get instructions on how to set up 2FA on my npm account (which I already have), or use it interactively via CLI. And on the GHA side, I get only info about adding 2FA to my GH account (again, already have it).

But if you say GHA can't wait for something, I don't see how it's possible.

The only secure alternative is to publish locally, unless you have the resources to maintain an external server (like https://github.com/GoogleCloudPlatform/wombat-dressing-room) or unless you want to trust a third party server (like https://github.com/step-security/wait-for-secrets).

After asking around, I'm not getting a clear answer here. One security expert said use 2FA to secure the account and provenance to authenticate the release (slightly paraphrased, because it wasn't in English).

This seems logical and sufficient to me because you can't do the things triggered with the token without first passing the 2FA on the account doing them.

@nodejs/security could you please advise? Both things seem important yet seemingly cannot be combined during a publish step.

Unfortunately, to do both is impossible at the moment due to a limitation of all CI systems I'm aware of, and because npm provenance only works from a "trusted" CI system. It's possible GitLab offers this capability, but since Github doesn't, I'm not sure how it makes sense to recommend users do it.

also, the way npm publish/automation tokens work, 2FA is bypassed entirely - that's my point.

JakobJingleheimer · 2024-12-29T17:30:31Z

Thank you all, but if I may direct your attention to the huge note at the top of the PR 😜

Feedback is very welcome soon 🙏 but not now. Ex the GHA samples are copy+pasted from another project and have not been updated yet.