Skip to content

fix: disable implicit publishing by default [breaking] #9476

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
biw wants to merge 6 commits into
base: master
Choose a base branch
from
Open

fix: disable implicit publishing by default [breaking] #9476

biw wants to merge 6 commits into from
+14 −16

Conversation

@biw
Copy link
Contributor

@biw biw commented Dec 31, 2025

Remove automatic publish detection based on CI environment, git tags, and npm lifecycle events. Publishing must now be explicitly requested via the --publish CLI flag or configuration.

This is a breaking change that addresses the security and usability concerns raised in #5463.

BREAKING CHANGE: Publishing no longer happens automatically in CI. Use --publish flag explicitly (e.g., --publish always, --publish onTag).

This is designed to be merged in version 27, and #9475 is the warning for the next patch version.

biw and others added 3 commits December 30, 2025 19:15
@biw
fix: skip Netlify PR deploy workflow on forks
d9695d5
@biw
Merge pull request #3 from biw/biw/netlify-skip-forks
bef6fef 
fix: skip Netlify PR deploy workflow on forks
@biw
fix: disable implicit publishing by default
bd52f05 
Remove automatic publish detection based on CI environment, git tags,
and npm lifecycle events. Publishing must now be explicitly requested
via the --publish CLI flag or configuration.

This is a breaking change that addresses the security and usability
concerns raised in electron-userland#5463 where unexpected auto-publishing could
accidentally expose secrets or publish unfinished work.

BREAKING CHANGE: Publishing no longer happens automatically in CI.
Use --publish flag explicitly (e.g., --publish always, --publish onTag).

Fixes electron-userland#5463
@changeset-bot
Copy link

changeset-bot bot commented Dec 31, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 7355170

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 8 packages
Name Type
app-builder-lib Major
dmg-builder Major
electron-builder-squirrel-windows Major
electron-builder Major
electron-forge-maker-appimage Major
electron-forge-maker-nsis-web Major
electron-forge-maker-nsis Major
electron-forge-maker-snap Major

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@biw biw mentioned this pull request Dec 31, 2025
Merged
@mmaietta
Copy link
Collaborator

mmaietta commented Jan 1, 2026

Thanks for prepping the multi-step set of PRs! Love the change.
Aptly timed as well, as the ESM/Node22 migration for electron-builder v27 is beginning soon.

@biw
Copy link
Contributor Author

biw commented Jan 5, 2026

Happy I could help!

On the test falure, is there a easy way to fix them / verify they aren't false positives?

@mmaietta
Copy link
Collaborator

mmaietta commented Jan 6, 2026
edited
Loading

Looks like it was a transitive dependency in the node_modules collector fixtures that had a file added, so it was causing the tests to fail suddenly (no changes to master branch)

Just pushed the change and updated the relevant PRs to latest master

@mmaietta mmaietta changed the title fix: disable implicit publishing by default fix: disable implicit publishing by default [breaking] Jan 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

app-builder-lib

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@biw @mmaietta