Why does the package.json "prepare" script download a release from sqlite.org?

[grantcox]

To be clear, I've never managed a JS library, and am not particularly familiar with package.json conventions. So perhaps this is standard behavior? But I found some difficulty with it so thought I'd ask.

When installing a package with npm or yarn, if it's being installed from a git repo, any "prepare" script defined in the package.json will be run.

The "prepare" script in this project runs the "build" script, which runs /bin/index.js, which downloads and extracts the latest release from https://sqlite.org. This completely replaces the installed package code with the latest released version.

These two behaviors mean that when I attempted to test some changes via my own Github fork, I found that until I removed the "prepare" script from package.json, all I could install was the public release code. Yarn's yarn.lock would state it had installed my particular branch/revision, would even have the correct SHA256 checksum, but this "download from sqlite.org and overwrite" post-install behavior meant the actual lib code was not as expected.

I assumed this may mean it was impossible to install any prior @sqlite/sqlite-wasm package versions. But npm & yarn don't actually run that "prepare" script when installing a package from https://www.npmjs.com/, so this overwriting does not happen. So I don't think this behavior will affect your official releases (now or in the future).

But, I'd be interested to hear if this behavior is intentional, as I can't think of why a "download and overwrite with latest official release" would be useful. If it is useful for release packaging purposes, perhaps the "release" script could be renamed to "postpack" - it looks like that runs at a similar point in the packaging lifecycle but doesn't run when installing from a git repo.

[tomayac]

Fixed via https://github.com/sqlite/sqlite-wasm/commit/64e8a46ddc0ffe72f78472c2570026d6af576b80. Released as @sqlite.org/sqlite-wasm@3.45.3-build2. Thank you!