From 8b9fcddaf28ed5e0adae2081ed70ca211360b8bf Mon Sep 17 00:00:00 2001 From: dipto0321 Date: Sat, 4 Jul 2026 00:18:49 +0600 Subject: [PATCH] chore(release): rename npm package from nodeup-cli to nodeupx The nodeup-cli name is in npm's 24-hour unpublish hold after the 1.0.0 takedown, and rather than wait out the hold the wrapper moves to a fresh name. nodeupx was verified unclaimed on the registry (404) before this rename. The installed binary is still exposed as nodeup on $PATH; only the npm package name changes. Historical CHANGELOG entries that mention nodeup-cli are left untouched as a record of what shipped at the time. Refs #35, #37. Co-Authored-By: Claude Fable 5 --- .github/workflows/release.yml | 14 +++++++------- README.md | 6 +++--- docs/installation.md | 10 +++++----- docs/release-checklist.md | 14 +++++++------- nodeup-npm/README.md | 10 +++++----- nodeup-npm/package.json | 2 +- 6 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 91f8b02..3c88c40 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,9 +11,9 @@ # - Creates a GitHub Release with an auto-generated changelog # - Pushes to the homebrew-tap repo (if HOMEBREW_TAP_TOKEN is set) # - Pushes to the scoop-bucket repo (if SCOOP_BUCKET_TOKEN is set) -# 4. Publish the nodeup-cli npm wrapper via OIDC Trusted Publishing. +# 4. Publish the nodeupx npm wrapper via OIDC Trusted Publishing. # GitHub Actions exchanges its built-in OIDC token for a one-hour -# publish token scoped to the `nodeup-cli` package. No NPM_TOKEN +# publish token scoped to the `nodeupx` package. No NPM_TOKEN # secret, no rotation, no leak surface. # # Required secrets (configured per-repo): @@ -25,7 +25,7 @@ # # npm publish uses OIDC Trusted Publishing — no secret required. The # trust is registered on the npmjs.com side at -# https://www.npmjs.com/package/nodeup-cli/access +# https://www.npmjs.com/package/nodeupx/access # under "Trusted Publisher", pointing at this workflow by filename # (release.yml). If the publish job ever fails with ENEEDAUTH, the # first thing to check is that the trust entry on npmjs.com still @@ -84,15 +84,15 @@ jobs: SCOOP_BUCKET_TOKEN: ${{ secrets.SCOOP_BUCKET_TOKEN }} publish-npm: - name: Publish nodeup-cli to npm (OIDC) + name: Publish nodeupx to npm (OIDC) runs-on: ubuntu-latest needs: goreleaser # OIDC Trusted Publishing — the trust is registered on the npmjs.com - # side at https://www.npmjs.com/package/nodeup-cli/access under + # side at https://www.npmjs.com/package/nodeupx/access under # "Trusted Publisher", pointing at this workflow by filename. No # NPM_TOKEN secret is needed; the runner mints an OIDC token, # npmjs.com exchanges it for a one-hour publish token scoped to - # the nodeup-cli package. + # the nodeupx package. # # IMPORTANT: OIDC only kicks in when npm sees NO `_authToken` line # in .npmrc for the target registry. The actions/setup-node action @@ -130,7 +130,7 @@ jobs: mkdir -p ~/.npm printf 'registry=https://registry.npmjs.org/\n' > ~/.npmrc - - name: Publish nodeup-cli + - name: Publish nodeupx working-directory: ./nodeup-npm # --provenance attaches a SLSA-style attestation to the # published package, generated from this OIDC token. diff --git a/README.md b/README.md index f81be2d..2e89b5d 100644 --- a/README.md +++ b/README.md @@ -77,7 +77,7 @@ spell out exactly what to run. |---|---|---| | Already use Homebrew for dev tooling on macOS / Linux | **Homebrew** | One command, auto-updates with `brew upgrade`, lives outside any Node install, uninstalls cleanly with `brew uninstall`. | | Already use Scoop on Windows | **Scoop** | Same shape as Homebrew on the Windows side — `scoop update nodeup` keeps it current, no admin shell needed. | -| Already manage dev tools via `npm install -g` and want a one-liner | **npm wrapper** (`nodeup-cli`) | No new package manager to set up; the install travels with the Node version it's installed against. Slight catch: a `nodeup` upgrade ships when the wrapper version bumps. The npm name is `nodeup-cli` because `nodeup` is taken. | +| Already manage dev tools via `npm install -g` and want a one-liner | **npm wrapper** (`nodeupx`) | No new package manager to set up; the install travels with the Node version it's installed against. Slight catch: a `nodeup` upgrade ships when the wrapper version bumps. The npm name is `nodeupx` because `nodeup` is taken. | | Are blocked from system package installs but can `npm i -g` | **npm wrapper** | Sandboxed / corp-locked-down machines often allow npm globals where they block system installers. | | Maintain `nodeup` itself, or want a version pinned to a specific tag without any postinstall network step | **Direct binary download** | You choose the exact release; no installer, no auto-update, no Node coupling. Best for reproducible CI installs. | | Are a Go developer hacking on `nodeup` and want the latest commit | **`go install`** | Pulls the current source and builds it locally. Fastest iteration loop for contributors. | @@ -107,10 +107,10 @@ auto-managed by GoReleaser from `scoop: {}` in `.goreleaser.yaml`. #### npm wrapper (any platform with Node ≥ 14) ```bash -npm install -g nodeup-cli +npm install -g nodeupx ``` -The wrapper is published as **`nodeup-cli`**, not `nodeup`, because +The wrapper is published as **`nodeupx`**, not `nodeup`, because the bare `nodeup` name on npmjs.com is owned by an unrelated, dormant 2015 package (`romanmt/nodeup` — "a simple cluster implementation for node"). The downloaded binary still installs diff --git a/docs/installation.md b/docs/installation.md index 2e7afdc..09cbc1e 100644 --- a/docs/installation.md +++ b/docs/installation.md @@ -25,7 +25,7 @@ exactly what to run. |---|---|---|---|---|---| | **Homebrew** | `brew install dipto0321/tap/nodeup` | Yes — `brew upgrade` | `/opt/homebrew/bin/` (macOS) or `/home/linuxbrew/.linuxbrew/bin/` (Linux) | macOS / Linux devs already using Homebrew for tooling | You don't have Homebrew and don't want to set it up just for one tool | | **Scoop** | `scoop install nodeup` (after adding the bucket) | Yes — `scoop update` | `%USERPROFILE%\scoop\apps\nodeup\` | Windows devs already using Scoop | You prefer winget / Chocolatey — neither is wired up today | -| **npm wrapper** | `npm install -g nodeup-cli` | Semi — `npm update -g nodeup-cli` only when a wrapper version bumps | Inside a Node install, on your global `node_modules/` path | JS devs who already treat `npm i -g` as the source of truth for CLIs; locked-down machines that block system installers but allow npm globals | You want a CLI that lives completely outside any Node install, or you want to track Go-binary releases the moment they tag (the wrapper lags by one publish). **Note**: the package is `nodeup-cli`, not `nodeup` — `nodeup` is taken on npmjs.com. | +| **npm wrapper** | `npm install -g nodeupx` | Semi — `npm update -g nodeupx` only when a wrapper version bumps | Inside a Node install, on your global `node_modules/` path | JS devs who already treat `npm i -g` as the source of truth for CLIs; locked-down machines that block system installers but allow npm globals | You want a CLI that lives completely outside any Node install, or you want to track Go-binary releases the moment they tag (the wrapper lags by one publish). **Note**: the package is `nodeupx`, not `nodeup` — `nodeup` is taken on npmjs.com. | | **Direct binary** | `curl … \| tar xz` | No — you re-run to update | Wherever you put the extracted binary | CI pipelines, reproducible installs, lock-down environments without npm or brew | You want auto-updates; you'll forget to re-run | | **From source** | `go install ./cmd/nodeup@latest` | No — re-run against a new tag | `$GOBIN` or `$GOPATH/bin` | `nodeup` contributors and Go developers who want HEAD | Anyone who doesn't have Go installed and isn't trying to hack on the tool | @@ -68,10 +68,10 @@ holds the manifest and is auto-pushed by GoReleaser. ### npm wrapper (any platform with Node ≥ 14) ```bash -npm install -g nodeup-cli +npm install -g nodeupx ``` -The package is published as **`nodeup-cli`**, not `nodeup`, because +The package is published as **`nodeupx`**, not `nodeup`, because the bare `nodeup` name on npmjs.com is owned by an unrelated, dormant 2015 package (`romanmt/nodeup` — "a simple cluster implementation for node"). The downloaded binary still installs as @@ -87,7 +87,7 @@ blocked but npm globals are allowed. - **Slight version lag.** The wrapper pins to the Go-binary version in its `binaryVersion` field. A new Go release needs a new wrapper - publish — `npm update -g nodeup-cli` only gets you a new Go binary + publish — `npm update -g nodeupx` only gets you a new Go binary after the wrapper version that pins to it ships. To jump to a brand-new release ahead of that, use a direct-binary install. - **Coupled to a Node install.** The wrapper and binary live inside @@ -167,7 +167,7 @@ and uninstalls consistently: - **Homebrew** owns upgrades → use `brew upgrade nodeup`. - **Scoop** owns upgrades → use `scoop update nodeup`. -- **npm** owns upgrades → use `npm update -g nodeup-cli`. +- **npm** owns upgrades → use `npm update -g nodeupx`. - **Direct binary** owns upgrades → re-run the curl one-liner (or pin a specific tag in CI). - **From source** owns upgrades → `go install -u diff --git a/docs/release-checklist.md b/docs/release-checklist.md index 19af970..936a17c 100644 --- a/docs/release-checklist.md +++ b/docs/release-checklist.md @@ -73,11 +73,11 @@ cd .. **Required once, not per release:** -- An `npmjs.com` account with publish rights on the `nodeup-cli` +- An `npmjs.com` account with publish rights on the `nodeupx` package name. The bare `nodeup` name is owned by an unrelated 2015 package (`romanmt/nodeup`, "a simple cluster implementation - for node") so we ship under `nodeup-cli`. `npm publish` will fail - with `You do not have permission to publish "nodeup-cli"` if the + for node") so we ship under `nodeupx`. `npm publish` will fail + with `You do not have permission to publish "nodeupx"` if the name isn't claimed yet on your account. - **2FA enabled** on the npm account, with an authenticator-app factor (TOTP). Configure under @@ -97,11 +97,11 @@ offers two options — pick one before wiring up `release.yml`: **Option A — OIDC Trusted Publishing (recommended).** GitHub Actions can publish without a long-lived secret. The runner exchanges its built-in OIDC token for a one-hour publish token -scoped to the `nodeup-cli` package. Per-package config lives in +scoped to the `nodeupx` package. Per-package config lives in npm's "Trusted Publisher" UI. 1. After the first manual `npm publish` succeeds, open - (or the + (or the "Trust" tab on the package page) and add a trusted publisher: - Provider: **GitHub Actions** - Repository: `dipto0321/nodeup` @@ -131,10 +131,10 @@ Actions entirely, or if you're publishing from a non-GitHub CI. /tokens> and click **Generate New Token**. 2. Fill in: - - **Name / description**: e.g. `nodeup-cli-ci-publish` + - **Name / description**: e.g. `nodeupx-ci-publish` - **Expiration**: 30 days (granular tokens max out at 90 days; rotate before expiry) - - **Packages and scopes**: select `nodeup-cli` only (not `*`, + - **Packages and scopes**: select `nodeupx` only (not `*`, not unscoped — limit the blast radius) - **Permissions**: `Read and write` on packages - **Bypass 2FA**: ON (so the CI publish doesn't need an OTP) diff --git a/nodeup-npm/README.md b/nodeup-npm/README.md index 6594d0e..f16b4f4 100644 --- a/nodeup-npm/README.md +++ b/nodeup-npm/README.md @@ -1,11 +1,11 @@ -# nodeup-cli (npm wrapper) +# nodeupx (npm wrapper) > Thin npm wrapper around the [`nodeup`](https://github.com/dipto0321/nodeup) > Go binary. Installs the right static binary for your OS/arch on -> `npm install -g nodeup-cli` and exposes `nodeup` on your `$PATH`. +> `npm install -g nodeupx` and exposes `nodeup` on your `$PATH`. This directory is the **npm distribution channel** for `nodeup`. The -package is published as **`nodeup-cli`** because the bare `nodeup` +package is published as **`nodeupx`** because the bare `nodeup` name on npmjs.com is owned by an unrelated, dormant 2015 package (`romanmt/nodeup`, "a simple cluster implementation for node"). The downloaded binary still ships as the `nodeup` CLI you know. @@ -18,7 +18,7 @@ package's `binaryVersion` field points at. ## Install ```bash -npm install -g nodeup-cli +npm install -g nodeupx nodeup version ``` @@ -73,7 +73,7 @@ release bump ship in the same commit. ## Updating ```bash -npm update -g nodeup-cli +npm update -g nodeupx ``` You get a new wrapper version. If that wrapper pins a newer diff --git a/nodeup-npm/package.json b/nodeup-npm/package.json index 7e570c3..67424f2 100644 --- a/nodeup-npm/package.json +++ b/nodeup-npm/package.json @@ -1,5 +1,5 @@ { - "name": "nodeup-cli", + "name": "nodeupx", "version": "1.0.1", "description": "Automated Node.js version upgrade + global package migration CLI. Static Go binary wrapped for npm distribution.", "license": "MIT",