fix: key stage download --json output by package name#9380
Merged
Conversation
`npm stage download <id> --json` was emitting the package contents under a literal "undefined" key because `logTar` is called without a `key` option. Pass `pkgContents.name` so the JSON output is keyed by the package name, matching `npm publish --json` and `npm pack --json`. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
reggi
changed the title
nishantms
approved these changes
May 20, 2026
reggi
added a commit
that referenced
this pull request
May 20, 2026
Backports #9380 to `release/v11` to keep `npm stage download --json` output consistent across branches. On `release/v11`, the `key == null` guard in `lib/utils/tar.js` was emitting the bare object (no wrapper key). This change adds a key so the output matches `latest` and aligns with `npm publish --json` / `npm pack --json`. ### Before (on release/v11) ```json { "name": "polo-meow-meow-meow", "version": "1.0.3", ... } ``` ### After ```json { "polo-meow-meow-meow": { "name": "polo-meow-meow-meow", "version": "1.0.3", ... } } ``` ### Background The `key == null` fallback in `lib/utils/tar.js` (still present on `release/v11`) was removed from `latest` in #9247 ("fix: sync json output of pack and publish") as a `BREAKING CHANGE`. Per that PR: > BREAKING CHANGE: the --json output of `npm pack` and `npm publish` have changed. They are now always consistent, and in the same format. > > Previously, `npm pack` would output an array of entries and `npm publish` an object. The `npm publish` object also changed forms depending on if workspaces were being published. > > Now, the output is always an object with the package name as the top level index. That breaking change was intentionally not backported to v11 (maintenance branch), so the fallback still exists here. This backport keeps the call-site contract aligned across branches so consumers get the same `{ "<pkg>": {...} }` shape on both. Clean cherry-pick of 9f7834d from #9380. --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
npm stage download <id> --jsoncurrently emits the package contents under a literal"undefined"key becauselogTaris called without akeyoption.Before
{ "undefined": { "name": "polo-meow-meow-meow", "version": "1.0.3", ... } }After
{ "polo-meow-meow-meow": { "name": "polo-meow-meow-meow", "version": "1.0.3", ... } }This matches the JSON shape of
npm publish --jsonandnpm pack --json.Background
The
key == nullfallback inlib/utils/tar.js(that would have rendered a bare object when no key was passed) was removed fromlatestin #9247 ("fix: sync json output of pack and publish") as aBREAKING CHANGE. Per that PR:When #9201 (npm stage) landed, it added a new
logTarcaller inlib/commands/stage/download.jsthat did not pass akey, silently violating the v12 contract established in #9247 and producing the"undefined"wrapper. This PR brings the new caller into compliance.Repro
A follow-up backports this to
release/v11for consistent output across branches: #9381.