feat(learn): add article for publishing a typescript package #7279

JakobJingleheimer · 2024-11-23T14:40:44Z

Description

Document the recommended way to publish a typescript package

Validation

Related Issues

nodejs/typescript#19

Depends on #7229

Check List

I have read the Contributing Guidelines and made commit messages that follow the guideline.
I have run npm run format to ensure the code follows the style guide.
I have run npm run test to check if all tests are passing.
I have run npx turbo build to check if the website builds without errors.
I've covered new added functionality with unit tests if necessary.

vercel · 2024-11-23T14:40:48Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
nodejs-org	✅ Ready (Inspect)	Visit Preview	Dec 30, 2024 0:04am

AugustinMauroy · 2024-12-29T15:51:20Z

Jacob you should:

remove lint thing
explain tsc cli (may be redirect to the previous page)
link to --run https://nodejs.org/en/learn/command-line/run-nodejs-scripts-from-the-command-line#run-a-task-with-nodejs
remove comment on GA example # glob is not backported below 22.x that from nodejs-loaders 😁
Also on GA example you put node --run test, but on package.json example it's missing
If you keep test thing maybe add link to the test runner part.

ljharb · 2024-12-29T16:38:14Z

apps/site/pages/en/learn/typescript/publishing.md

+      fail-fast: false # prevent a failure in one version cancelling other runs
+
+    steps:
+      - uses: actions/checkout@v4


these version refs will likely get outdated pretty fast; what’s the plan for keeping them updated?

ljharb · 2024-12-29T16:39:12Z

apps/site/pages/en/learn/typescript/publishing.md

+    "lint": "…",
+    "types:check": "tsc --noEmit"
+  },
+  "optionalDependencies": {


this is incorrect; optional deps are runtime deps, and will always be installed - it just won’t fail the overarching install if it fails to compile. This will definitely install typescript locally, and for all consumers. There is no way to have optional dev deps, and “optional” wouldn’t be the same as it means for peerDependenciesMeta.

It's possible via --omit, I just haven't got to that yet :)

For an application, sure, but then doesn't that force consumers to use it?

No, why? As you say, it won't do anything magical on its own.

Anything in optionalDependencies will automatically be installed for consumers precisely the same as if it's in dependencies.

Yes…? Exactly?

and why would typescript be a runtime dependency? it should only ever be a peerDependency of a package, at most, and a package that isn't directly about typescript shouldn't be requiring consumers to install typescript at all.

@JakobJingleheimer Can we change it to devDependencies instead?

apps/site/pages/en/learn/typescript/publishing.md

ljharb · 2024-12-29T16:40:23Z

apps/site/pages/en/learn/typescript/publishing.md

+      - name: Publish with provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --access public --provenance


this publishes with one factor, which is much less secure than publishing with 2fa; i strongly suggest node not in any way encourage doing this.

Is there any way to set up automated version publishing with 2FA? That would be ideal - automated and secure.

No, not without an external server - until GitHub adds a native way for a workflow to pause and wait for user input to continue.

Oula, I don't agree with you 100%. First of all you can ask for the 2FA for the provenance depending on the NPM token used. Also I think Node.js should recommend packages with provenance for security reasons.

I'm not sure what you mean - the only way to do two-factor is with two factors. Using an npm token is only ever a single factor.

As for provenance, I'm happy to discuss that separately, but whether it has value on its own or not is irrelevant - having 2FA is universally recognized as table stakes for security, which is why github and npm are making it required for everyone. They're not even planning to ever require provenance information, which should tell you about the relative security value of each.

also, the way npm publish/automation tokens work, 2FA is bypassed entirely - that's my point.

I think "bypassed entirely", whilst technically possible, is not realistic. Yes, GitHub has the token and could do it. That possibility seems…remote. As you say, it is a trusted CI system. Aside from that, both sides are guarded by 2FA, and left or right are the only realistic access-points—when both actors are trusted, it seems reasonable to trust whatever they're doing, and provenance assures there has been no slight of hand / man-in-the-middle.

If we could have both, yeah, let's do it!

I don't know enough to authoritatively say what we should do since we apparently must choose one or the other, so I think we should defer to our own team of security experts (@marco-ippolito 👀).

GitHub could be exploited, separate from whether one of the tens of thousands of Microsoft employees was a bad actor.

I’m suggesting node simply not recommend a publishing method rather than wade into a conversation that industry security experts don’t even agree on.

Let's give the security team a chance to weigh in. If we don't get a definitive answer, then let's come up with an alternative (I would be inclined to list both options and, possibly in an addendum, explain some of the key advantages and disadvantages—especially since this info was difficult for even us to gather).

Generally speaking I'd omit giving an advice on this matter completely and leave the user to do their own research on how to publish on npm since its out of the scope of this guide. Ssince there is no out of the box alternative I'm ok with suggesting 1F (which we use on many of our @nodejs packages)