fix: pin npm@11 in publish workflow to avoid self-upgrade corruption

tianzhou · claude · tianzhou · commit 5c91f003f95e · 2026-04-02T21:19:54.000-07:00
npm install -g npm@latest can fail when the latest version has broken
internal dependencies (e.g., missing promise-retry module). Pinning to
npm@11 avoids pulling broken releases while still meeting the npm 11.5+
requirement for OIDC trusted publishing.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -57,10 +57,10 @@ jobs:
         with:
           node-version: "22"
 
-      # Upgrade npm to latest for OIDC trusted publishing support (requires npm 11.5+)
+      # Upgrade npm for OIDC trusted publishing support (requires npm 11.5+)
       - name: Upgrade npm
         run: |
-          npm install -g npm@latest
+          npm install -g npm@11
           echo "npm version: $(npm --version)"
 
       # Install pnpm for faster and more reliable package management
