Previously published versions no longer ignored

[krassowski]

The releaser has logic to ignore previously published npm versions on upload:

https://github.com/jupyter-server/jupyter_releaser/blob/ac38c6a0607e00fd65f2b70625965862b2a641db/jupyter_releaser/lib.py#L443-L451

it was used in lumino to only publish packages which had versions bumped, but it is no longer working as of today: https://github.com/jupyterlab/lumino/issues/693

I am not sure if it has something to do with https://github.com/jupyterlab/lumino/pull/690, or if NPM just changed the error message. Unfortunately, the error message is not seen in the traceback (which I think should be fixed too).

To see what the error message is we need something like:

         stderr = e.stderr 
         if "EPUBLISHCONFLICT" in stderr or "previously published versions" in stderr: 
             continue
         else:
+            util.log(stderr)
         raise e 

[krassowski]

When I try to publish an old version of a different package using npm locally, the error message returned by NPM is:

npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT https://registry.npmjs.org/@jupyter-lsp%2fjupyterlab-lsp - You cannot publish over the previously published versions: 5.1.0.
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.

This one should be picked up by the check above. I wonder if there is a different message when publishing with provenance, or in a newer NPM version.

[krassowski]

Maybe it is related to a recent transition to node 20.x? I see NODE_VERSION=20.x in the failing publish job.

[krassowski]

Nope, same error message seen locally with node 20.x and npm 10.5.0. I do not see an easy way forward other than merging https://github.com/jupyter-server/jupyter_releaser/pull/564 and testing it out live on lumino to get the error logs.

[blink1073]

I released https://github.com/jupyter-server/jupyter_releaser/releases/tag/v1.8.0

[krassowski]

Thank you!

It is failing with:

npm notice
npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in to https://registry.npmjs.org/
npm ERR! need auth You need to authorize this machine using `npm adduser`

So this looks like configuration issue for lumino rather than what I initially suspected. Is there documentation on how to configure it to work, or do you know how to fix it?

[blink1073]

Ah, I think I accidentally deleted the NPM_TOKEN secret, I just added it back.

[krassowski]

Thanks, this helped!