Skip to content

Publish v0.3.0 to npm #1

Description

@Trolzie

The v0.3.0 release is ready (M4 work complete locally) but is not yet published to npm.

State of the work

All four roadmap milestones are complete. Branch main (commit 9356514) contains M1–M3: responsive margin/inline display, collision-aware stacking, drop-in fallback when no .has-sidenotes ancestor, @media print stylesheet, hover/focus cue, CI workflow.

M4 work was uncommitted at the time this issue was opened (machine being decommissioned). If the local work wasn't pushed before the machine was wiped, the following must be re-derived from tasks/todo.md (which is also local; preserve it first if possible):

  • CHANGELOG.md (new) — Keep-a-Changelog format covering 0.1.0, 0.2.0, 0.2.1, 0.3.0
  • package.json — version bump 0.1.0 → 0.3.0
  • recipes/plain-html.md, recipes/eleventy.md, recipes/astro.md, recipes/hugo.md (new)
  • .github/workflows/publish.yml (new) — tag-triggered npm publish with --provenance --access public
  • README.md — install section flipped (npm/CDN primary, from-source secondary), new "Integration recipes" section between Quickstart and Attributes, M4 marked ✅ in roadmap, "What's in v0.3" → "What's in v0.3.0"
  • CLAUDE.md — milestone summary refreshed to "all four milestones complete at v0.3.0"
  • site/index.html footer — "v0.3, milestone 3 of 4" → "v0.3.0"
  • tasks/todo.md — v0.3.0 / M4 record with full breakdown of the above

What's blocking publish

npm publish --access public got past the bundle assembly stage (tarball at 17.5 kB, 16 files including LICENSE, README, dist, src, package.json — all correct) but returned 403 Forbidden:

Two-factor authentication or granular access token with bypass 2fa enabled is required to publish packages.

The npm account does not have a TOTP authenticator app configured. The "one-time codes" the account receives are sign-in verification codes sent by email, not publish-time OTPs (npm requires either TOTP, webauthn, or a granular access token with bypass-2FA).

Security note

A granular access token was generated during troubleshooting and inadvertently shared in a chat conversation. Revoke it before anything else — npmjs.com → Settings → Access Tokens → find the recently-issued side-note token → Revoke.

Resolution plan (for fresh machine)

  1. Revoke the leaked token (link above)
  2. Clone the repo and confirm M4 work is present on main. If not, re-derive from the list above (the tasks/todo.md v0.3.0 section has full text for each file)
  3. Generate a fresh granular access token at npmjs.com:
    • Name: anything memorable (e.g. side-note publish)
    • Expiration: pick a sensible date (e.g. 1 year)
    • Packages and scopes → "Only select packages" → side-note
    • Permissions: Read and write
    • Check "Allow this token to bypass two-factor authentication"
  4. Store the token locally:
    echo "//registry.npmjs.org/:_authToken=npm_xxxxxxxxxxxxxx" >> ~/.npmrc
    Use the global ~/.npmrc, NOT a repo-level .npmrc (the latter would ship with the package).
  5. Add the same token as a GitHub repo secret named NPM_TOKEN (Settings → Secrets and variables → Actions → New repository secret). This powers the tag-triggered publish workflow at .github/workflows/publish.yml for v0.3.1+.
  6. Publish v0.3.0:
    • Manual: npm ci && npm run build && npm publish --access public
    • Workflow-driven: git tag v0.3.0 && git push --tags (fires publish.yml)
  7. Verify at https://www.npmjs.com/package/side-note
  8. Smoke test: npm i side-note in a throwaway directory, confirm <script type="module">import "side-note"</script> registers the custom element

Reference

  • Browser support / API surface / behaviour: see README on main
  • Prior milestone history and design decisions: see tasks/todo.md and CHANGELOG.md

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions