Skip to content

[scripts] Bug Fix: Let npm prompt for OTP when publishing bootstrap stubs#8820

Open
etrepum wants to merge 3 commits into
facebook:mainfrom
etrepum:claude/trusted-publishing-setup-fail-4v4bwp
Open

[scripts] Bug Fix: Let npm prompt for OTP when publishing bootstrap stubs#8820
etrepum wants to merge 3 commits into
facebook:mainfrom
etrepum:claude/trusted-publishing-setup-fail-4v4bwp

Conversation

@etrepum

@etrepum etrepum commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Description

setup-trusted-publishing.mjs --bootstrap fails with npm error code EOTP when publishing a placeholder stub for a new package (e.g. @lexical/mdast). publishStub ran npm publish (and the follow-up npm deprecate) through the captured exec() helper, which pipes all stdio; npm only attempts its interactive OTP / web-auth recovery when both stdin and stdout are TTYs, so the publish failed hard instead of prompting for authentication.

This routes both commands through runNpm — which the rest of the script already uses for exactly this reason — adding a cwd option so npm publish can run from the stub's temp directory. npm now prints the web-auth URL and waits, and "Skip two-factor authentication for the next 5 minutes" covers the rest of the run. runNpm also strips the pnpm-only npm_config_* env vars, silencing npm 11+'s "Unknown env config" warnings during the publish.

Test plan

Before

pnpm run setup-trusted-publishing --bootstrap --package @lexical/mdast fails at the stub publish with npm error code EOTP / "This operation requires a one-time password" without ever prompting.

After

The same command prints "Publishing @lexical/mdast@0.0.0-bootstrap.0 (npm may prompt for OTP / web auth):" and npm's interactive web-auth flow proceeds. Verified --bootstrap --dry-run still short-circuits before publishing, and node --check, prettier, and eslint pass.

…tubs

## Description

`setup-trusted-publishing.mjs --bootstrap` fails with `npm error code
EOTP` when publishing a placeholder stub for a new package (e.g.
`@lexical/mdast`). `publishStub` ran `npm publish` (and the follow-up
`npm deprecate`) through the captured `exec()` helper, which pipes all
stdio; npm only attempts its interactive OTP / web-auth recovery when
both stdin and stdout are TTYs, so the publish failed hard instead of
prompting for authentication.

This routes both commands through `runNpm` — which the rest of the
script already uses for exactly this reason — adding a `cwd` option so
`npm publish` can run from the stub's temp directory. npm now prints
the web-auth URL and waits, and "Skip two-factor authentication for
the next 5 minutes" covers the rest of the run. `runNpm` also strips
the pnpm-only `npm_config_*` env vars, silencing npm 11+'s "Unknown
env config" warnings during the publish.

## Test plan

### Before

`pnpm run setup-trusted-publishing --bootstrap --package @lexical/mdast`
fails at the stub publish with `npm error code EOTP` / "This operation
requires a one-time password" without ever prompting.

### After

The same command prints "Publishing @lexical/mdast@0.0.0-bootstrap.0
(npm may prompt for OTP / web auth):" and npm's interactive web-auth
flow proceeds. Verified `--bootstrap --dry-run` still short-circuits
before publishing, and `node --check`, prettier, and eslint pass.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@vercel

vercel Bot commented Jul 8, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
lexical Ready Ready Preview Jul 9, 2026 3:43am
lexical-playground Ready Ready Preview Jul 9, 2026 3:43am

Request Review

@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants