chore(repo): replace verdaccio scripts with pkglab#7858
chore(repo): replace verdaccio scripts with pkglab#7858nikosdouvlis wants to merge 54 commits intomainfrom
Conversation
Removes yalc entirely and replaces it with pkglab, which publishes to a real local Verdaccio registry for proper npm-like installs. Each package now has a dev:pub script that runs the build in watch mode and fires pkglab pub --ping on each rebuild, letting the listener coalesce rapid publishes into batched cycles. Playground apps use workspace:* instead of file:.yalc references.
Replaces the custom two-phase Verdaccio setup with pkglab CLI. CI workflows now use pkglab pub to publish packages and pkglab add to pin exact versions in smoke test directories and integration test apps. Integration test setup detects @clerk/* dependencies and runs pkglab add to pin them. Global setup verifies the registry is reachable. Removes the standalone Verdaccio configs and action.
…ab migration Why: The merge from main into nk/e2e-pkglab introduced three unrelated regressions: the @clerk/backend/proxy export was removed (breaking @clerk/express and @clerk/nextjs imports), @clerk/nextjs version was bumped from 6.x to 7.x, and leftover verdaccio references in scripts and root deps were missed during the initial pkglab migration. What changed: - Restored @clerk/backend/proxy export, files entry, and tsup build entry - Reverted @clerk/nextjs version from 7.36.2 back to 6.36.1 - Rewrote scripts/local-registry.sh to delegate to pkglab (up/down/pub/clean) - Removed release:verdaccio script and verdaccio devDep from root package.json - Regenerated pnpm-lock.yaml to reflect dependency removal - Fixed incorrect `pkglab stop` to `pkglab down` in local-registry.sh
…ry wrapper Why: The local-registry.sh script was a thin wrapper delegating to pkglab commands, and `pnpm pub` already does the same thing. Cursor rules and gitignore comments still referenced verdaccio directly. What changed: - Deleted scripts/local-registry.sh (redundant, use `pnpm pub` or `pkglab pub` directly) - Removed local:registry:up/down/pub npm scripts from root package.json - Updated .cursor/rules to reference pkglab instead of verdaccio - Updated .gitignore comment - Simplified integration README setup steps
🦋 Changeset detectedLatest commit: 20d40bf The changes in this PR will be included in the next version bump. This PR includes changesets to release 0 packagesWhen changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
@clerk/agent-toolkit
@clerk/astro
@clerk/backend
@clerk/chrome-extension
@clerk/clerk-js
@clerk/dev-cli
@clerk/expo
@clerk/expo-passkeys
@clerk/express
@clerk/fastify
@clerk/hono
@clerk/localizations
@clerk/nextjs
@clerk/nuxt
@clerk/react
@clerk/react-router
@clerk/shared
@clerk/tanstack-react-start
@clerk/testing
@clerk/ui
@clerk/upgrade
@clerk/vue
commit: |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughReplaces Verdaccio with pkglab for local npm registry tasks across CI and repo tooling. CI workflows now build packages then publish with pkglab pub and install with pkglab add. Verdaccio configs, scripts, a Verdaccio action, and a preview workflow were removed. package.json scripts/devDependencies updated (verdaccio removed, pkglab bumped). Integration docs and tests now use pkglab and probe a local registry. Application setup can pin Clerk packages via pkglab add, applicationConfig exposes a new clerkDependencies getter, and package resolution utilities were simplified. 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Tip Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@integration/presets/utils.ts`:
- Around line 2-8: The exported function linkPackage currently has an implicit
return type; update its signature to declare an explicit return type (string) so
the public utility follows coding guidelines—i.e., change the function
declaration for linkPackage to include ": string" and ensure its implementation
still returns a string (currently '*').
In `@integration/tests/global.setup.ts`:
- Around line 12-20: The try block in integration/tests/global.setup.ts
currently calls execSync('curl -sf http://localhost:4873/ ...') which breaks on
Windows; replace that shell call with Node's native fetch and enforce the 5s
timeout using an AbortController + setTimeout (or Promise.race) so the request
is aborted if it exceeds 5000ms. On fetch failure or abort, throw the same Error
message as before about the pkglab registry not running; locate and update the
try/catch surrounding the execSync invocation to perform the fetch to
'http://localhost:4873/' and handle errors/timeouts accordingly.
integration/presets/utils.ts
Outdated
| * Returns a version specifier for a local Clerk package. | ||
| * | ||
| * Requires pkglab to be running with packages published. | ||
| * Run: pkglab pub | ||
| */ | ||
| function createPackageTarball(pkg: string): string { | ||
| if (tarballCache.has(pkg)) { | ||
| return tarballCache.get(pkg); | ||
| } | ||
|
|
||
| const pkgPath = path.resolve(process.cwd(), `packages/${pkg}`); | ||
| const tmpDir = path.join(os.tmpdir(), '.clerk-integration-tarballs'); | ||
|
|
||
| fs.mkdirSync(tmpDir, { recursive: true }); | ||
|
|
||
| const result = execSync('pnpm pack --pack-destination ' + tmpDir, { | ||
| cwd: pkgPath, | ||
| encoding: 'utf-8', | ||
| }); | ||
|
|
||
| const tgzPath = result.trim().split('\n').pop(); | ||
| const tarballPath = `file:${tgzPath}`; | ||
|
|
||
| tarballCache.set(pkg, tarballPath); | ||
| return tarballPath; | ||
| } | ||
|
|
||
| export function linkPackage(pkg: string) { | ||
| // eslint-disable-next-line turbo/no-undeclared-env-vars | ||
| if (process.env.CI === 'true') { | ||
| // In CI, use '*' to get the latest version from Verdaccio | ||
| // which will be the snapshot version we just published | ||
| return '*'; | ||
| } | ||
|
|
||
| // See: https://github.com/withastro/astro/issues/8312 | ||
| if (PACKAGES_REQUIRING_TARBALL.includes(pkg)) { | ||
| return createPackageTarball(pkg); | ||
| } | ||
|
|
||
| return `link:${path.resolve(process.cwd(), `packages/${pkg}`)}`; | ||
| export function linkPackage(_pkg: string) { | ||
| return '*'; |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Locate and examine the file integration/presets/utils.ts
fd -t f "utils.ts" integration/presetsRepository: clerk/javascript
Length of output: 88
🏁 Script executed:
#!/bin/bash
# Read the file to verify the function signature at lines 2-8
if [ -f "integration/presets/utils.ts" ]; then
echo "=== File content (lines 1-15) ==="
head -n 15 integration/presets/utils.ts | cat -n
else
echo "File not found"
fiRepository: clerk/javascript
Length of output: 362
Add an explicit return type for the exported function.
This is a public utility and must declare its return type explicitly per coding guidelines.
Suggested fix
-export function linkPackage(_pkg: string) {
+export function linkPackage(_pkg: string): string {
return '*';
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| * Returns a version specifier for a local Clerk package. | |
| * | |
| * Requires pkglab to be running with packages published. | |
| * Run: pkglab pub | |
| */ | |
| function createPackageTarball(pkg: string): string { | |
| if (tarballCache.has(pkg)) { | |
| return tarballCache.get(pkg); | |
| } | |
| const pkgPath = path.resolve(process.cwd(), `packages/${pkg}`); | |
| const tmpDir = path.join(os.tmpdir(), '.clerk-integration-tarballs'); | |
| fs.mkdirSync(tmpDir, { recursive: true }); | |
| const result = execSync('pnpm pack --pack-destination ' + tmpDir, { | |
| cwd: pkgPath, | |
| encoding: 'utf-8', | |
| }); | |
| const tgzPath = result.trim().split('\n').pop(); | |
| const tarballPath = `file:${tgzPath}`; | |
| tarballCache.set(pkg, tarballPath); | |
| return tarballPath; | |
| } | |
| export function linkPackage(pkg: string) { | |
| // eslint-disable-next-line turbo/no-undeclared-env-vars | |
| if (process.env.CI === 'true') { | |
| // In CI, use '*' to get the latest version from Verdaccio | |
| // which will be the snapshot version we just published | |
| return '*'; | |
| } | |
| // See: https://github.com/withastro/astro/issues/8312 | |
| if (PACKAGES_REQUIRING_TARBALL.includes(pkg)) { | |
| return createPackageTarball(pkg); | |
| } | |
| return `link:${path.resolve(process.cwd(), `packages/${pkg}`)}`; | |
| export function linkPackage(_pkg: string) { | |
| return '*'; | |
| * Returns a version specifier for a local Clerk package. | |
| * | |
| * Requires pkglab to be running with packages published. | |
| * Run: pkglab pub | |
| */ | |
| export function linkPackage(_pkg: string): string { | |
| return '*'; | |
| } |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@integration/presets/utils.ts` around lines 2 - 8, The exported function
linkPackage currently has an implicit return type; update its signature to
declare an explicit return type (string) so the public utility follows coding
guidelines—i.e., change the function declaration for linkPackage to include ":
string" and ensure its implementation still returns a string (currently '*').
integration/tests/global.setup.ts
Outdated
| // Verify pkglab registry is running | ||
| try { | ||
| execSync('curl -sf http://localhost:4873/ > /dev/null', { timeout: 5000 }); | ||
| } catch { | ||
| throw new Error( | ||
| 'pkglab registry is not running. Start it with: pkglab pub\n' + | ||
| 'This publishes local packages to a Verdaccio registry for integration tests.', | ||
| ); | ||
| } |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n integration/tests/global.setup.tsRepository: clerk/javascript
Length of output: 1536
🏁 Script executed:
# Check Node version requirements in package.json
cat -n package.json | head -30Repository: clerk/javascript
Length of output: 1935
🏁 Script executed:
# Check if there are other curl usages in the file
rg -n "curl" integration/tests/global.setup.tsRepository: clerk/javascript
Length of output: 142
🏁 Script executed:
# Check for .nvmrc, .node-version, or engines field
ls -la | grep -E "\.nvmrc|\.node-version"Repository: clerk/javascript
Length of output: 119
🏁 Script executed:
# Check engines field in package.json
rg -A5 '"engines"' package.jsonRepository: clerk/javascript
Length of output: 170
🏁 Script executed:
# Check if this is a Windows-specific test environment concern
rg -n "win32|windows|platform" integration/tests/global.setup.tsRepository: clerk/javascript
Length of output: 42
Replace the curl shell invocation with native Node fetch to fix Windows compatibility.
The code uses execSync('curl -sf ...'), which fails on Windows where curl is not available by default. This blocks integration test setup on Windows environments. Replace with native Node fetch (available in Node 20.9.0+).
Note: The suggested timeout implementation needs correction—use Promise.race() or setTimeout()/clearTimeout() to enforce the 5-second timeout properly, rather than aborting after the fetch completes.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@integration/tests/global.setup.ts` around lines 12 - 20, The try block in
integration/tests/global.setup.ts currently calls execSync('curl -sf
http://localhost:4873/ ...') which breaks on Windows; replace that shell call
with Node's native fetch and enforce the 5s timeout using an AbortController +
setTimeout (or Promise.race) so the request is aborted if it exceeds 5000ms. On
fetch failure or abort, throw the same Error message as before about the pkglab
registry not running; locate and update the try/catch surrounding the execSync
invocation to perform the fetch to 'http://localhost:4873/' and handle
errors/timeouts accordingly.
Why: The preview workflow script used secco (which internally used verdaccio) to install Clerk packages in an isolated temp directory. pkglab already handles this, so secco is no longer needed. What changed: - Replaced secco install + `secco --force-verdaccio --scan-once` with `pkglab pub --force` + `pkglab add` for detected @clerk/* deps - Dynamically reads @clerk/* deps from the site's package.json instead of hardcoding package names - Removed SECCO_SOURCE_PATH env var
…cript Why: The !preview comment-triggered workflow hasn't been used by anyone. Vercel's automatic PR preview deployments replaced it. The script was the only consumer of secco in the repo.
nikosdouvlis
changed the title
Why: pkglab is a devDependency installed by pnpm, but CI workflow steps couldn't find it because node_modules/.bin isn't in PATH by default. Integration tests that run pkglab from temp directories outside the repo also need it accessible without pnpm exec.
nikosdouvlis
changed the title
Why: pnpm doesn't resolve pkglab's platform-specific optional dependencies (pkglab-linux-x64, etc.) when installed as a workspace devDep, so the binary wrapper fails with "Could not find pkglab-linux-x64". Installing globally via npm handles optional deps correctly and makes pkglab available from any working directory (needed for temp dir smoke tests).
nikosdouvlis
changed the title
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/actions/init/action.yml:
- Around line 122-124: The CI step named "Install pkglab" currently installs
pkglab@latest; update that npm install -g invocation to pin the package to the
repository's declared version (use the exact version string from package.json,
e.g. pkglab@^0.11.2) so the workflow installs the same pkglab release as local
development and avoids version drift in the "Install pkglab" step.
.github/actions/init/action.yml
Outdated
| - name: Install pkglab | ||
| run: npm install -g pkglab@latest | ||
| shell: bash |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat .github/actions/init/action.yml | sed -n '120,130p'Repository: clerk/javascript
Length of output: 305
🏁 Script executed:
fd -t f 'package.json' -x grep -l 'pkglab' {}Repository: clerk/javascript
Length of output: 74
🏁 Script executed:
rg '"pkglab"\s*:' -g 'package.json' -A 1Repository: clerk/javascript
Length of output: 136
🏁 Script executed:
python3 <<'PY'
import json
import urllib.request
import urllib.error
try:
data = json.load(urllib.request.urlopen("https://registry.npmjs.org/pkglab/latest"))
print("npm latest pkglab version:", data["version"])
except urllib.error.HTTPError as e:
print(f"Error fetching npm data: {e}")
except Exception as e:
print(f"Error: {e}")
PYRepository: clerk/javascript
Length of output: 194
Pin pkglab to match the repository's declared version.
Lines 122-124 install pkglab with @latest, but the repository declares "pkglab": "^0.11.2" in package.json. This inconsistency causes CI to potentially run a different version than local development, breaking reproducibility and increasing supply-chain risk in a privileged workflow context. Use the same pinned version in CI as declared locally.
🔧 Proposed change
- name: Install pkglab
- run: npm install -g pkglab@latest
+ run: npm install -g pkglab@0.11.2📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Install pkglab | |
| run: npm install -g pkglab@latest | |
| shell: bash | |
| - name: Install pkglab | |
| run: npm install -g pkglab@0.11.2 | |
| shell: bash |
🧰 Tools
🪛 GitHub Check: CodeQL
[failure] 122-126: Checkout of untrusted code in a privileged context
Potential execution of untrusted code on a privileged workflow (issue_comment)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/actions/init/action.yml around lines 122 - 124, The CI step named
"Install pkglab" currently installs pkglab@latest; update that npm install -g
invocation to pin the package to the repository's declared version (use the
exact version string from package.json, e.g. pkglab@^0.11.2) so the workflow
installs the same pkglab release as local development and avoids version drift
in the "Install pkglab" step.
Why: pkglab uses Bun internally for its registry server. CI runners don't have Bun installed, causing "Executable not found in $PATH: bun" when running pkglab pub. Also adds empty changeset to satisfy the changeset check since this PR only changes CI/tooling infrastructure.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
pkglab 0.13.1 strips npm_config_* env vars internally before spawning package managers, so the workaround is no longer needed.
nikosdouvlis
changed the title
0.13.2 wrapper falls back to PATH lookup when the platform-specific binary isn't in node_modules, so the rm hack is no longer needed.
The devDep pkglab@^0.12.x shim doesn't have the PATH fallback from 0.13.2, and pnpm puts node_modules/.bin first on PATH, so the old shim shadows the global binary.
The 0.13.2 wrapper falls back to PATH when the platform binary isn't in node_modules, so the rm hack is no longer needed. CI reads the resolved version from node_modules after pnpm install to keep global and local versions in sync automatically.
…install pnpm doesn't resolve optional deps of devDeps, so the pkglab wrapper couldn't find pkglab-linux-x64 on CI. Adding it as a direct devDep ensures pnpm installs it, and adding pkglab-* to minimumReleaseAgeExclude (in pnpm-workspace.yaml, the correct location) unblocks recently published versions.
The CI workflow calls pkglab directly from shell steps (not via pnpm). Adding node_modules/.bin to GITHUB_PATH makes workspace binaries available in all subsequent steps, replacing the old global npm install approach.
nikosdouvlis
force-pushed
the
nk/e2e-pkglab
branch
from
7858b02 to
e008695
Compare
nikosdouvlis
force-pushed
the
nk/e2e-pkglab
branch
from
e008695 to
17f235f
Compare
nikosdouvlis
changed the title
Dependencies with version 'pkglab' are installed from the local registry via pkglab add. Dependencies with real version strings (like '6') are installed from npm normally. This fixes the ap-flows test where @clerk/nextjs@6 was being overridden by the local build.
| minimumReleaseAgeExclude: | ||
| - '@clerk/*' | ||
| - 'pkglab' | ||
| - 'pkglab-*' |
There was a problem hiding this comment.
@nikosdouvlis Are you sure we can trust the owner of these packages?
There was a problem hiding this comment.
Definitely looks shady, we'll need to pin exact versions to avoid issues in the future
| "devDependencies": { | ||
| "@clerk/ui": "workspace:^", | ||
| "astro": "^5.17.1" | ||
| "astro": "^5.15.9" |
# Conflicts: # pnpm-lock.yaml
nikosdouvlis
force-pushed
the
nk/e2e-pkglab
branch
from
490f16a to
20d40bf
Compare
2 participants
CI integration tests relied on a custom Verdaccio composite action that required manually managing dist-tags, snapshot versions, and npm config workarounds. pkglab wraps all of this into simple
pkglab pubandpkglab addcommands.What changed
CI workflows now use
pkglab pub --forceandpkglab addinstead of the Verdaccio action. ThelinkPackage()helper andE2E_CLERK_JS_VERSION/E2E_CLERK_UI_VERSIONenv var overrides (verdaccio-era workarounds) are replaced with an explicitPKGLABmarker constant. Dependencies usingPKGLABas their version are resolved from the local registry viapkglab add, while dependencies with real version strings (like'6'for@clerk/nextjsv6 in ap-flows tests) go through npm as usual.pkglab is installed as a devDependency with
node_modules/.binadded to$GITHUB_PATHsopkglab pub/pkglab addare available in all CI shell steps.Performance
Integration tests are ~18% faster on average (single sample, so some runner variance):
Removed
.github/actions/verdaccio/action.yml(128-line composite action).github/workflows/preview.yml(unused comment-triggered workflow)scripts/install-site-in-isolation.mjs(secco-based script, only consumer of preview workflow)scripts/local-registry.sh(thin wrapper around verdaccio)verdaccio.install.yamlandverdaccio.publish.yamlverdacciodevDependencyrelease:verdaccioandlocal:registry:*root scriptsSummary by CodeRabbit
Refactor
Documentation
Chores