From 2e24f1e2deadd78810d9569dc400b32eaf1a1244 Mon Sep 17 00:00:00 2001
From: Dominik Jain <dominik.jain@outlook.com>
Date: Tue, 31 Mar 2026 13:20:58 +0200
Subject: [PATCH] :bug: Fix lock file not being included in npm package

The root lock file not being present causes issues, because
the sub-project dependencies are managed by it.

The lack of inclusion of pnpm-lock.yaml was the root cause of #8829.
A dependency was updated incompatibly, breaking the release.

Since npm pack has a hard exclusion rule for pnpm-lock.yaml,
we include it under a different name and restore it at runtime.
---
 mcp/README.md        | 6 ++++--
 mcp/bin/mcp-local.js | 9 +++++++++
 mcp/scripts/pack     | 9 ++++-----
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/mcp/README.md b/mcp/README.md
index a9a623b1e0..bd9d9b6447 100644
--- a/mcp/README.md
+++ b/mcp/README.md
@@ -306,5 +306,7 @@ you may set the following environment variables to configure the two servers
   - Ensure that at least the major, minor and patch components of the version are always up-to-date.
   - The MCP plugin assumes that a mismatch between the MCP version and the Penpot version (as returned by the API) 
     indicates incompatibility, resulting in the display of a warning message in the plugin UI.
-* Packaging and publishing:
-  - Create npm package: `bash scripts/pack` (sets version and then calls `npm pack`)
+* Packaging and publishing: 
+  1. Ensure release version is set correctly in package.json (call `bash scripts/set-version` to update it automatically)
+  2. Create npm package: `bash scripts/pack` (creates `penpot-mcp-<version>.tgz` for publishing)
+  3. Publish to npm: `npm publish penpot-mcp-<version>.tgz --access public`
diff --git a/mcp/bin/mcp-local.js b/mcp/bin/mcp-local.js
index 517762b4f9..65a2b0f763 100644
--- a/mcp/bin/mcp-local.js
+++ b/mcp/bin/mcp-local.js
@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 
 const { execSync } = require("child_process");
+const fs = require("fs");
 const path = require("path");
 
 const root = path.resolve(__dirname, "..");
@@ -9,6 +10,14 @@ function run(command) {
   execSync(command, { cwd: root, stdio: "inherit" });
 }
 
+// pnpm-lock.yaml is hard-excluded by npm pack; it is shipped as pnpm-lock.dist.yaml
+// and restored here before bootstrap runs.
+const distLock = path.join(root, "pnpm-lock.dist.yaml");
+const lock = path.join(root, "pnpm-lock.yaml");
+if (fs.existsSync(distLock)) {
+  fs.copyFileSync(distLock, lock);
+}
+
 try {
   run("corepack pnpm run bootstrap");
 } catch (error) {
diff --git a/mcp/scripts/pack b/mcp/scripts/pack
index 06826b2143..16a869cf00 100644
--- a/mcp/scripts/pack
+++ b/mcp/scripts/pack
@@ -1,12 +1,11 @@
 #!/usr/bin/env bash
-#
-# Sets the version from Git tags, then produces the npm tarball.
-# Must be invoked directly (not via npm/pnpm) so that the version
-# is written to package.json before npm reads it.
 
 set -euo pipefail
 
 cd "$(dirname "$0")/.."
 
-bash ./scripts/set-version
+# pnpm-lock.yaml is hard-excluded by npm, but we need it; ship it under a neutral name
+cp pnpm-lock.yaml pnpm-lock.dist.yaml
+trap 'rm -f pnpm-lock.dist.yaml' EXIT
+
 npm pack