Back to changelog index

3.13.2

Jul 12, 2026 · 5 packages · 8 unique changes · 2 release entries

appsbundlesBreaking changes

This release affects the solutions family.

Run contractspec connect adoption resolve --family solutions to see how it impacts your project.

Release summaries

  • public-npm-distribution-docs

    Align README, website, action docs, llms guidance, and release workflow docs with public npm distribution for non-private @lssm-tech packages.

    customer

    Consumers can install non-private @lssm-tech packages from npmjs without GitHub Packages credentials or packages:read permissions.

    integrator

    ContractSpec action README examples no longer require github-packages-token for public @lssm-tech package installs; the input is documented as a legacy/private-package exception.

    maintainer

    Release documentation records the npm access-state runbook, tarball audit expectation, and private-repository provenance limitation before any real publish/access operation.

  • restore-private-github-packages

    Restore private GitHub Packages publishing and authenticated consumption for the @lssm-tech packages included in the July 7 public npm rollout.

    customer

    Affected @lssm-tech packages require authorized GitHub Packages access instead of anonymous npmjs installation. Pre-existing public/npmjs package exceptions are not changed.

    integrator

    ContractSpec actions again accept github-packages-token for authenticated @lssm-tech package installation and consuming workflows require packages: read.

    maintainer

    Stable and canary release workflows target npm.pkg.github.com with restricted package access and GitHub Packages credentials.

Migration guide

  • Remove legacy @lssm-tech GitHub Packages registry overrides

    Required

    Public @lssm-tech packages should resolve through the default npm registry.

    When: A consumer workspace has .npmrc or Bun install.scopes entries for @lssm-tech.

    1. Remove @lssm-tech:registry=https://npm.pkg.github.com from local npm config.
    2. Remove the @lssm-tech Bun install.scopes entry that points at npm.pkg.github.com.
    3. Keep @contractspec GitHub Packages config only for separately authorized legacy/private packages.
  • Verify npm package visibility before claiming public availability

    Required

    Code and metadata changes do not change npm-side visibility by themselves.

    When: Preparing a real publish/access operation for migrated @lssm-tech packages.

    1. Run the inventory/npm-state audit and classify packages as public, missing, restricted, blocked, or unknown.
    2. Use npm publish --access public for first publishes.
    3. Use npm access public <package> or npm UI maintainer action for existing restricted packages.
    4. Run tarball file-list and secret/content audits before publishing.
  • Configure private @lssm-tech package access

    Required

    Route @lssm-tech installs through GitHub Packages with an authorized token.

    When: Installing an affected @lssm-tech package or using an action that installs one.

    1. Add @lssm-tech:registry=https://npm.pkg.github.com to local npm configuration.
    2. Add the matching @lssm-tech entry to Bun install.scopes when Bun is used.
    3. Provide a token with packages: read and repository/package access.
    4. Pass github-packages-token to ContractSpec actions that install affected private packages.
  • Stop future npmjs publication for the reverted scope

    Required

    Repository automation must publish the affected package set only to GitHub Packages.

    When: Preparing stable or canary releases.

    1. Use CONTRACTSPEC_NPM_REGISTRY_URL=https://npm.pkg.github.com.
    2. Publish with restricted access and GitHub Packages write credentials.
    3. Preserve pre-July-7 public/npmjs exceptions through the provenance allowlist.
    4. Treat already-published npmjs visibility as a separately authorized external operation.

Upgrade steps

  • Drop package-read tokens from public @lssm-tech action examples

    manual

    External CI should not pass github-packages-token for ordinary public @lssm-tech installs.

    Packages: @lssm-tech/bundle.library, @lssm-tech/bundle.marketing, @lssm-tech/app.web-landing, @lssm-tech/app.action-pr, @lssm-tech/action.validation, @lssm-tech/app.action-drift, @lssm-tech/action.version

    1. Remove github-packages-token from action usage unless a legacy/private package still requires GitHub Packages.
    2. Remove `packages: read` when it was present only for ContractSpec package installs.
    3. Keep normal GitHub permissions needed for PR comments, checks, or version-management writes.
  • Restore package-read authentication in consuming CI

    manual

    Affected consumers must restore GitHub Packages permissions and token routing.

    Packages: @lssm-tech/bundle.library, @lssm-tech/bundle.marketing, @lssm-tech/app.web-landing, @lssm-tech/app.action-pr, @lssm-tech/action.validation, @lssm-tech/app.action-drift, @lssm-tech/action.version

    1. Add packages: read where affected private packages are installed.
    2. Store an authorized package token as a secret; never commit it to repository configuration.
    3. Pass the token through github-packages-token for affected ContractSpec actions.

Unique release changes

  • - Affected consumers must restore GitHub Packages permissions and token routing.

    5 packages · 5 occurrences

  • - Align README, website, action docs, llms guidance, and release workflow docs with public npm distribution for non-private @lssm-tech packages.

    5 packages · 5 occurrences

  • - Code and metadata changes do not change npm-side visibility by themselves.

    5 packages · 5 occurrences

  • - External CI should not pass github-packages-token for ordinary public @lssm-tech installs.

    5 packages · 5 occurrences

  • - Public @lssm-tech packages should resolve through the default npm registry.

    5 packages · 5 occurrences

  • - Repository automation must publish the affected package set only to GitHub Packages.

    5 packages · 5 occurrences

  • - Restore private GitHub Packages publishing and authenticated consumption for the @lssm-tech packages included in the July 7 public npm rollout.

    5 packages · 5 occurrences

  • - Route @lssm-tech installs through GitHub Packages with an authorized token.

    5 packages · 5 occurrences

Impacted packages

  • @lssm-tech/app.action-drift

    Layer: apps · 4 changes

  • @lssm-tech/app.action-pr

    Layer: apps · 4 changes

  • @lssm-tech/app.web-landing

    Layer: apps · 4 changes

  • @lssm-tech/bundle.library

    Layer: bundles · 4 changes

  • @lssm-tech/bundle.marketing

    Layer: bundles · 4 changes