fix: auto sync _npmUser field (#912)

closes #910

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Publish flow exposes an isPrivate flag and includes publisher
(_npmUser) information in both full and abbreviated manifests.

* **Behavior**
* Sync now detects and reconciles metadata differences (deprecated,
funding, publisher) per-version and per-tag, preserving existing
publisher info for public packages.

* **Tests**
* Added tests covering publisher propagation and metadata auto-sync
across sync scenarios.

* **Chores**
  * Bumped packument dependency.

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: MK (fengmk2) <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: fengmk2

app/core/service/PackageManagerService.ts

@@ -82,6 +82,9 @@ export interface PublishPackageCmd {
     'content' | 'localFile'
   >;
   tags?: string[];
+  /**
+   * private package or not
+   */
   isPrivate: boolean;
   // only use on sync package
   publishTime?: Date;
@@ -175,12 +178,24 @@ export class PackageManagerService extends AbstractService {
       }
     }
 
-    // set _npmUser field to cmd.packageJson
-    cmd.packageJson._npmUser = {
-      // clean user scope prefix
-      name: publisher.displayName,
-      email: publisher.email,
-    };
+    // override _npmUser field if is private package or _npmUser field not exists
+    // otherwise avoid overriding _npmUser field from sync package, e.g.: oidc publish package
+    // "_npmUser": {
+    //   "name": "GitHub Actions",
+    //   "email": "[email protected]",
+    //   "trustedPublisher": {
+    //     "id": "github",
+    //     "oidcConfigId": "oidc:d0f693c3-ada3-4197-b34c-b7aaeb524f11"
+    //   }
+    // }
+    if (cmd.isPrivate || !cmd.packageJson._npmUser) {
+      // set _npmUser field to cmd.packageJson
+      cmd.packageJson._npmUser = {
+        // clean user scope prefix
+        name: publisher.displayName,
+        email: publisher.email,
+      };
+    }
 
     // add _registry_name field to cmd.packageJson
     const registry = await this.getSourceRegistry(pkg);
@@ -250,6 +265,7 @@ export class PackageManagerService extends AbstractService {
       // npminstall require publish time to show the recently update versions
       publish_time: cmd.packageJson.publish_time,
       _source_registry_name: cmd.packageJson._source_registry_name,
+      _npmUser: cmd.packageJson._npmUser,
     } as AbbreviatedPackageJSONType);
     const abbreviatedDistBytes = Buffer.from(abbreviated);
     const abbreviatedDistIntegrity = await calculateIntegrity(abbreviatedDistBytes);
@@ -581,6 +597,28 @@ export class PackageManagerService extends AbstractService {
     await this._mergeManifestDist(pkgVersion.abbreviatedDist, mergeAbbreviated);
   }
 
+  public async savePackageVersionManifestWithBuilder(
+    pkgVersion: PackageVersion,
+    manifestBuilder: JSONBuilder,
+    abbreviatedBuilder?: JSONBuilder,
+  ) {
+    const manifestBytes = manifestBuilder.build();
+    const manifestIntegrity = await calculateIntegrity(manifestBytes);
+    pkgVersion.manifestDist.size = manifestBytes.length;
+    pkgVersion.manifestDist.shasum = manifestIntegrity.shasum;
+    pkgVersion.manifestDist.integrity = manifestIntegrity.integrity;
+    await this.distRepository.saveDist(pkgVersion.manifestDist, manifestBytes);
+    if (abbreviatedBuilder) {
+      const abbreviatedBytes = abbreviatedBuilder.build();
+      const abbreviatedIntegrity = await calculateIntegrity(abbreviatedBytes);
+      pkgVersion.abbreviatedDist.size = abbreviatedBytes.length;
+      pkgVersion.abbreviatedDist.shasum = abbreviatedIntegrity.shasum;
+      pkgVersion.abbreviatedDist.integrity = abbreviatedIntegrity.integrity;
+      await this.distRepository.saveDist(pkgVersion.abbreviatedDist, abbreviatedBytes);
+    }
+    await this.packageRepository.savePackageVersion(pkgVersion);
+  }
+
   /**
    * save package version readme
    */
@@ -1052,6 +1090,7 @@ export class PackageManagerService extends AbstractService {
     manifestDist.shasum = manifestIntegrity.shasum;
     manifestDist.integrity = manifestIntegrity.integrity;
     await this.distRepository.saveDist(manifestDist, manifestBytes);
+    // FIXME: should store new size, shasum and integrity to database
   }
 
   private async _updatePackageManifestsToDists(

app/core/service/PackageSyncerService.ts

@@ -15,6 +15,7 @@ import { PresetRegistryName, SyncDeleteMode } from '../../common/constants.ts';
 import { TaskState, TaskType } from '../../common/enum/Task.ts';
 import { downloadToTempfile } from '../../common/FileUtil.ts';
 import { detectInstallScript, getScopeAndName } from '../../common/PackageUtil.ts';
+import { DistRepository } from '../../repository/DistRepository.ts';
 import type {
   AuthorType,
   PackageJSONType,
@@ -82,6 +83,8 @@ export class PackageSyncerService extends AbstractService {
   private readonly registryManagerService: RegistryManagerService;
   @Inject()
   private readonly scopeManagerService: ScopeManagerService;
+  @Inject()
+  private readonly distRepository: DistRepository;
 
   public async createTask(fullname: string, options?: SyncPackageTaskOptions) {
     const [scope, name] = getScopeAndName(fullname);
@@ -1465,6 +1468,71 @@ ${diff.addedVersions.length} added, ${diff.removedVersions.length} removed, calc
         logs.push(`[${isoNow()}] 🟢 Removed version ${version} success`);
       }
     }
+    // #endregion
+
+    // #region check different meta data
+    // these fields will be changed after publish, so we need to check if they are different
+    const fieldsToCheck = [
+      'deprecated',
+      'funding',
+      // this field won't change, but this is a bug(#910) on cnpmcore, so we need to check if it is different
+      '_npmUser',
+    ];
+    // for performance reason, we won't check all versions by default, only check those versions on dist-tags
+    for (const version of Object.values(distTags)) {
+      // ignore already synced versions
+      if (updateVersions.includes(version) || diff.removedVersions.includes(version)) {
+        continue;
+      }
+      const pkgVersion = await this.packageRepository.findPackageVersion(pkg.packageId, version);
+      if (!pkgVersion) {
+        logs.push(`[${isoNow()}] 🚧 version ${version} not exists in database, skip check different meta data`);
+        continue;
+      }
+      const manifestBuilder = await this.distRepository.findPackageVersionManifestJSONBuilder(pkg.packageId, version);
+      if (!manifestBuilder) {
+        logs.push(`[${isoNow()}] 🚧 version ${version} manifest not exists, skip check different meta data`);
+        continue;
+      }
+      const abbreviatedManifestBuilder = await this.distRepository.findPackageAbbreviatedManifestJSONBuilder(
+        pkg.packageId,
+        version,
+      );
+      if (!abbreviatedManifestBuilder) {
+        logs.push(`[${isoNow()}] 🚧 version ${version} abbreviated manifest not exists, may be a bug here`);
+      }
+      let hasDifferent = false;
+      const diffMeta: Record<string, unknown> = {};
+      for (const field of fieldsToCheck) {
+        const remoteValue = packument.getBufferIn(['versions', version, field])?.toString();
+        const localValue = manifestBuilder.getBufferIn([field])?.toString();
+        if (remoteValue !== localValue) {
+          const newValue = remoteValue ? JSON.parse(remoteValue) : undefined;
+          if (newValue === undefined) {
+            // delete
+            manifestBuilder.deleteIn([field]);
+            abbreviatedManifestBuilder?.deleteIn([field]);
+            diffMeta[field] = '$$delete$$';
+          } else {
+            // update
+            manifestBuilder.setIn([field], newValue);
+            abbreviatedManifestBuilder?.setIn([field], newValue);
+            diffMeta[field] = newValue;
+          }
+          hasDifferent = true;
+        }
+      }
+      if (hasDifferent) {
+        await this.packageManagerService.savePackageVersionManifestWithBuilder(
+          pkgVersion,
+          manifestBuilder,
+          abbreviatedManifestBuilder,
+        );
+        updateVersions.push(version);
+        logs.push(`[${isoNow()}] 🟢 Synced version ${version} success, different meta: ${JSON.stringify(diffMeta)}`);
+      }
+    }
+    // #endregion
 
     logs.push(
       `[${isoNow()}] 🟢 Synced updated ${updateVersions.length} versions, removed ${diff.removedVersions.length} versions`,
@@ -1477,7 +1545,6 @@ ${diff.addedVersions.length} added, ${diff.removedVersions.length} removed, calc
       await this.packageManagerService.refreshPackageChangeVersionsToDists(pkg, updateVersions, diff.removedVersions);
       logs.push(`[${isoNow()}] 🟢 Refresh use ${Date.now() - start}ms`);
     }
-    // #endregion
 
     // #region update tags
     // "dist-tags": {

app/repository/DistRepository.ts

@@ -29,13 +29,47 @@ export class DistRepository {
     }
   }
 
+  async findPackageVersionManifestJSONBuilder(
+    packageId: string,
+    version: string,
+    includeReadme = false,
+  ): Promise<JSONBuilder | undefined> {
+    const packageVersion = await this.packageRepository.findPackageVersion(packageId, version);
+    if (packageVersion) {
+      // include readme
+      if (includeReadme) {
+        const [builder, readme] = await Promise.all([
+          this.readDistBytesToJSONBuilder(packageVersion.manifestDist),
+          this.readDistBytesToString(packageVersion.readmeDist),
+        ]);
+        if (builder) {
+          builder.setIn(['readme'], readme);
+        }
+        return builder;
+      }
+
+      // only return manifest builder
+      return await this.readDistBytesToJSONBuilder(packageVersion.manifestDist);
+    }
+  }
+
   async findPackageAbbreviatedManifest(packageId: string, version: string): Promise<PackageJSONType | undefined> {
     const packageVersion = await this.packageRepository.findPackageVersion(packageId, version);
     if (packageVersion) {
       return await this.readDistBytesToJSON(packageVersion.abbreviatedDist);
     }
   }
 
+  async findPackageAbbreviatedManifestJSONBuilder(
+    packageId: string,
+    version: string,
+  ): Promise<JSONBuilder | undefined> {
+    const packageVersion = await this.packageRepository.findPackageVersion(packageId, version);
+    if (packageVersion) {
+      return await this.readDistBytesToJSONBuilder(packageVersion.abbreviatedDist);
+    }
+  }
+
   async readDistBytesToJSON<T>(dist: Dist) {
     const str = await this.readDistBytesToString(dist);
     if (str) {

package.json

@@ -84,7 +84,7 @@
     "registry"
   ],
   "dependencies": {
-    "@cnpmjs/packument": "^1.4.0",
+    "@cnpmjs/packument": "^1.5.0",
     "@eggjs/redis": "beta",
     "@eggjs/scripts": "beta",
     "@eggjs/tracer": "beta",

test/TestUtil.ts

@@ -23,6 +23,10 @@ const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
 interface PackageOptions {
+  _npmUser?: {
+    name: string;
+    email: string;
+  };
   name?: string;
   version?: string;
   versionObject?: object;
@@ -216,6 +220,10 @@ export class TestUtil {
       const firstVersion = Object.keys(versions)[0];
       const version = versions[firstVersion];
       let updateAttach = false;
+      if (options._npmUser) {
+        pkg._npmUser = options._npmUser;
+        version._npmUser = options._npmUser;
+      }
       if (options.name) {
         pkg.name = options.name;
         version.name = options.name;