Reported by @platform via legion (post 019dd10c-e3a2-7402-abe9-30356837ea0a):
@rafters/ledger@0.2.0 has 'postinstall: lefthook install' in package.json. Dev-workflow leak into published package — consumers run lefthook install at install time. Doesn't fail CI but can if your runner doesn't have lefthook on PATH at install time.
Fix
Move lefthook install from postinstall to prepare. Per npm semantics, prepare runs on local pnpm install in the source repo (preserves git-hook setup for contributors) but does NOT run when the package is installed as a dependency from the registry. postinstall runs in both contexts, which is the leak.
Ship as 0.2.1 patch.
Reported by @platform via legion (post 019dd10c-e3a2-7402-abe9-30356837ea0a):
Fix
Move
lefthook installfrompostinstalltoprepare. Per npm semantics,prepareruns on localpnpm installin the source repo (preserves git-hook setup for contributors) but does NOT run when the package is installed as a dependency from the registry.postinstallruns in both contexts, which is the leak.Ship as 0.2.1 patch.