fix(vercel): force HTTPS for typescript-client git dep on Vercel#391
Merged
Conversation
npm normalizes the `github:OpenHands/typescript-client#sha` shorthand (and even an explicit `git+https://github.com/...` URL) to `git+ssh://git@github.com/...` whenever it rewrites package-lock.json during a plain `npm install`. Vercel's build environment has no GitHub SSH key, so an ssh-pinned lockfile causes Vercel to fall back to a stale cached copy of the package whose dist/clients.js predates the addition of ConversationClient, FileClient, and SharedClient. Rolldown then fails the build with: [MISSING_EXPORT] ConversationClient is not exported by node_modules/@openhands/typescript-client/dist/clients.js PR #382 fixed this once by hand-editing the lockfile, but the very next local `npm install` (e.g. PR #387 bumping React Query hooks) silently rewrote the resolved URL back to ssh and the bug returned. This change makes the Vercel build self-healing: * package.json now pins the dep as an explicit `git+https://` URL so the intent is documented in one place. * package-lock.json's top-level dep spec matches that URL; the nested `node_modules/@openhands/typescript-client` entry already resolved to https, so this brings both halves of the lockfile in sync. * vercel.json sets `installCommand` to `bash scripts/vercel-install.sh`, which: - rewrites any leftover `git+ssh://git@github.com/` resolved URLs back to https (handles future regressions), - configures `git config --global url."https://github.com/".insteadOf` for both `ssh://git@github.com/` and `git@github.com:` (handles anything npm has already normalized in cache), - then runs `npm ci` for a strict, lockfile-driven install. Locally verified: * `bash scripts/vercel-install.sh` produces a clean install with the https-resolved typescript-client. * `npm run build` and `npm run lint` both succeed after the install. * Re-running `npm install` rewrites `resolved` back to `git+ssh` as expected — the install script normalizes it again on every Vercel build, so the lockfile drift no longer breaks deploys. Refs: #384 (Vercel preview build fails: MISSING_EXPORT for SharedClient / ConversationClient / FileClient). Co-authored-by: openhands <openhands@all-hands.dev>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
all-hands-bot
approved these changes
May 12, 2026
Contributor
all-hands-bot
left a comment
all-hands-bot
left a comment
There was a problem hiding this comment.
🟢 Good taste - Simple, defensive solution to a real production problem.
The two-pronged approach (lockfile rewrite + git config) makes this self-healing even if future local npm install runs re-introduce the ssh URL. Script is clean with proper error handling.
[RISK ASSESSMENT]
- [Overall PR]
⚠️ Risk Assessment: 🟢 LOW- Only affects Vercel's install path (CI and local dev unchanged)
- Reversible (can remove
vercel.jsonif needed) - Script runs in isolated Vercel build containers with no side effects
- Manual verification documented in PR description
VERDICT:
✅ Worth merging: Pragmatic fix for npm's URL normalization behavior that broke Vercel builds
KEY INSIGHT:
Making the build self-healing (via the install script) is better than relying on manual lockfile discipline. The git config --global in an ephemeral CI container is clever defensive programming.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Make Vercel builds resolve the
@openhands/typescript-clientgit dep over HTTPS in a way that survives futurenpm installruns.Why
Every recent Vercel preview build has been failing with:
Root cause (also documented in #384):
github:OpenHands/typescript-client#shashorthand — and even an explicitgit+https://github.com/...URL — togit+ssh://git@github.com/...whenever it rewritespackage-lock.jsonduring a plainnpm install.dist/clients.jspredates the addition ofConversationClient,FileClient, andSharedClient. Rolldown then fails the build with the missing-export errors above.npm install(e.g. feat: add LLM profiles API layer and React Query hooks #387 bumping the React Query hooks) silently rewrote the resolved URL back to ssh and the bug returned.How
Make the Vercel build self-healing instead of relying on the lockfile staying clean forever:
package.jsonnow pins the dep as an explicitgit+https://github.com/OpenHands/typescript-client.git#<sha>URL, so the intent is documented in one place rather than relying on thegithub:shorthand.package-lock.json's top-level dep spec is brought in line with that URL. The nestednode_modules/@openhands/typescript-cliententry already resolved to https, so this only changes the root-levelpackages.""spec.vercel.jsonsetsinstallCommandtobash scripts/vercel-install.sh.scripts/vercel-install.sh(new):git+ssh://git@github.com/resolved URLs inpackage-lock.jsonback togit+https://github.com/(handles future regressions where someone re-runsnpm installlocally and pushes an ssh-pinned lockfile);git config --global url."https://github.com/".insteadOffor bothssh://git@github.com/andgit@github.com:, so anything npm has already cached internally as an ssh URL still resolves over https;npm cifor a strict, lockfile-driven install.AGENTS.mddocuments the protocol so future agents understand why the dep is pinned asgit+https://and whatscripts/vercel-install.shis for.Verification
Locally on the failing main commit (
78713e7):bash scripts/vercel-install.shproduces a clean install with the https-resolved typescript-client and the fulldist/clients.jsthat exportsConversationClient,FileClient,SharedClient, etc.npm run buildsucceeds.npm run lintsucceeds (0 errors; pre-existing warnings unchanged).npm installafter the install rewritesresolvedback togit+sshas expected — but the nextbash scripts/vercel-install.shnormalizes it again, so the lockfile drift no longer breaks Vercel deploys.Notes
npm cidirectly and is unaffected.@openhands/typescript-clientnpm publish or a new SHA; the existingef62e82fc3dfb03991a1c8025429caf354427263pin is correct and contains all required exports.Refs: #384, #382
This PR was created by an AI agent (OpenHands) on behalf of @rbren.