Add OTP prompt to release script

[justin808]

Summary

• Adds an interactive OTP prompt before npm publish in the release script
• Required because npm publish fails with EOTP when 2FA is enabled

Test plan

• Run yarn release and verify OTP prompt appears before publish step

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enhanced security for the npm release process by requiring OTP (One-Time Password) authentication before publishing.

[coderabbitai]

Walkthrough

The release script now requires npm One-Time Password (OTP) authentication. A prompt collects the OTP code from the user before executing the npm publish command, which includes the OTP flag.

Changes

Cohort / File(s)	Summary
OTP Authentication for npm Publishing scripts/release.js	Added readline prompt to collect user OTP code; modified npm publish invocation to include --otp flag with the collected code.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A code for safety, typed with care,
OTP whispers through the air,
Publish secure, npm won't frown,
The safest release hops into town! 🎉

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding an OTP prompt to the release script, which matches the primary objective of enabling npm publishing with 2FA.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into master

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jg/add-otp-prompt-release-script

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

scripts/release.js (1)

142-147: Unsanitized user input interpolated into a shell command.

The otp value is spliced directly into the exec() string. While this is an interactive developer-only script (so the blast radius is small), it's still good practice to validate the input. A simple regex check also improves UX by catching typos before the publish attempt.

🛡️ Proposed fix: validate OTP before use

-  const otp = readline.question('Enter your npm OTP code: ')
-
-  log('Publishing...')
-  if (
-    exec(`cd ${outDir} && npm publish --access public --otp=${otp}`).code !== 0
-  ) {
+  let otp = readline.question('Enter your npm OTP code: ')
+  while (!/^\d{6,8}$/.test(otp)) {
+    otp = readline.question('Invalid OTP. Enter a valid numeric OTP code: ')
+  }
+
+  log('Publishing...')
+  if (
+    exec(`cd ${outDir} && npm publish --access public --otp=${otp}`).code !== 0
+  ) {

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Overview

Greptile Summary

Adds an OTP prompt before npm publish to handle 2FA requirements, solving the EOTP error when publishing packages with 2FA enabled.

• Prompts user for OTP code before publishing
• Passes OTP to npm publish via --otp flag
• Security Issue: OTP input is not validated before being passed to shell command, creating a command injection vulnerability

Confidence Score: 2/5

• This PR has a critical command injection vulnerability that must be fixed before merging
• The OTP input handling creates a security vulnerability where unsanitized user input is directly interpolated into a shell command. While the functionality addresses the stated problem, the security risk is significant and needs immediate attention.
• scripts/release.js requires validation of OTP input before use in shell command

Important Files Changed

Filename	Overview
scripts/release.js	Adds OTP prompt for npm publish with 2FA, but has a command injection vulnerability

Flowchart

flowchart TD
    A[Start Release Process] --> B[Run Tests]
    B --> C{Tests Pass?}
    C -->|No| D[Abort Release]
    C -->|Yes| E[Build Package]
    E --> F[Confirm Publish]
    F --> G{User Confirms?}
    G -->|No| D
    G -->|Yes| H[Prompt for OTP]
    H --> I[Execute npm publish with OTP]
    I --> J{Publish Success?}
    J -->|No| D
    J -->|Yes| K[Update VERSION File]
    K --> L[Commit and Tag]
    L --> M[Push to GitHub]
    M --> N[Release Complete]

Loading

_{Last reviewed commit: ba69b2e}

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Command injection vulnerability: the OTP input is directly interpolated into a shell command without validation. If a user enters 123456; rm -rf /, it would execute the malicious command. Validate that OTP contains only digits (typically 6 digits).

Suggested change

	const otp = readline.question('Enter your npm OTP code: ')
	log('Publishing...')
	if (exec(`cd ${outDir} && npm publish --access public `).code !== 0) {
	if (
	exec(`cd ${outDir} && npm publish --access public --otp=${otp}`).code !== 0
	const otp = readline.question('Enter your npm OTP code: ')
	// Validate OTP is numeric
	if (!/^\d{6}$/.test(otp)) {
	logError('Invalid OTP format. OTP must be 6 digits.')
	exit(1)
	}
	log('Publishing...')
	if (
	exec(`cd ${outDir} && npm publish --access public --otp=${otp}`).code !== 0
	) {