Skip to content

fix: fall back to oxfmt or skip when prettier cannot format changelog#145

Merged
rexxars merged 2 commits into
mainfrom
fix/oxfmt-or-prettier
Jun 11, 2026
Merged

fix: fall back to oxfmt or skip when prettier cannot format changelog#145
rexxars merged 2 commits into
mainfrom
fix/oxfmt-or-prettier

Conversation

@rexxars

@rexxars rexxars commented Jun 9, 2026

Copy link
Copy Markdown
Member

Problem

Releases fail in repos where prettier is not a direct dependency, for example this get-it run:

[semantic-release] [@semantic-release/exec] › ℹ  Call script npx -y prettier --write CHANGELOG.md
sh: 1: prettier: not found
[semantic-release] › ✘  Failed step "prepare" of plugin "@semantic-release/exec"

Failure mode

npx -y is supposed to download prettier when it is missing, but it does not in this scenario. The failing combination is:

  • The project uses pnpm
  • prettier is not a direct dependency (get-it switched to oxfmt), but it is still in the lockfile as a transitive dependency, so it exists under node_modules/.pnpm/prettier@x.y.z

When npx -y prettier runs, npm scans the actual node_modules tree, finds a package named prettier in the pnpm store, and concludes it is already installed locally - so it skips the download. It then executes prettier --write CHANGELOG.md through sh, expecting the bin to be on PATH. But pnpm only links bins for direct dependencies into node_modules/.bin, so there is no prettier executable anywhere on PATH: sh: 1: prettier: not found, exit 127.

This is deterministic, not stale cache: reproduced in a clean node:22 container with a pnpm project that has prettier only as a transitive dependency. The same setup installed with npm works fine, since npm hoists transitive bins differently.

Fix

Chain fallbacks in the prepareCmd:

npx -y prettier --write CHANGELOG.md || npx -y oxfmt --write CHANGELOG.md || echo "Unable to format CHANGELOG.md, skipping"
  • prettier works (direct dep, or npx downloads it): formats as before, oxfmt never runs
  • prettier fails (the pnpm scenario above): oxfmt formats instead - oxfmt handles markdown and its default output matches prettier's for changelogs (- bullets, collapsed whitespace)
  • both fail: logs a message and exits 0, so the release proceeds with an unformatted changelog instead of failing

Verification

All paths tested through sh -c the same way @semantic-release/exec runs the command:

  • Happy path: prettier formats, exit 0
  • Exact get-it scenario in a node:22 container (pnpm, transitive prettier, direct oxfmt dep): prettier branch fails with prettier: not found, oxfmt branch finds the locally linked bin and formats CHANGELOG.md correctly, exit 0
  • Both formatters failing: skip message printed, exit 0

🤖 Generated with Claude Code

rexxars and others added 2 commits June 9, 2026 14:22
npx -y prettier fails in pnpm projects where prettier is only a
transitive dependency: npm sees the package in the node_modules tree,
skips the download, then cannot find the bin on PATH (pnpm only links
bins for direct dependencies). Chain fallbacks so the release does not
fail over changelog formatting.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@rexxars rexxars requested a review from a team as a code owner June 9, 2026 21:45
@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm es-abstract is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/ls-engines@0.9.3npm/es-abstract@1.24.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-abstract@1.24.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm npm is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/semantic-release@25.0.2npm/npm@11.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npm@11.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm npm is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/semantic-release@25.0.2npm/npm@11.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npm@11.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@rexxars rexxars enabled auto-merge (squash) June 9, 2026 21:47
@rexxars rexxars requested a review from stipsan June 9, 2026 21:47

@stipsan stipsan left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch!!

@rexxars rexxars merged commit 2b49258 into main Jun 11, 2026
16 checks passed
@rexxars rexxars deleted the fix/oxfmt-or-prettier branch June 11, 2026 18:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants