[BUILD] workspace:* dependencies in published dist/package.json

[kiosvantra]

Build Issue: workspace:* Dependencies in Published Dist

Severity: High (build artifact)
Component: Package publishing (dist/package.json)

Description

The published dist/package.json contains workspace:* protocol dependencies:

"dependencies": {
    "@opencode-ai/plugin": "workspace:*",
    "@opencode-ai/sdk": "workspace:*"
}

The workspace:* protocol is a monorepo workspace resolution mechanism, not a valid npm registry specifier. Published packages should contain resolved, pinned version numbers.

Evidence

Found in the npm cache at:

~/.cache/opencode/packages/@whisperopencode/push@latest/node_modules/@whisperopencode/push/dist/package.json

Note: The npm registry version (package.json at root of package) has pinned versions ("@opencode-ai/plugin": "1.2.21", "@opencode-ai/sdk": "1.2.21"). The workspace:* issue appears in the dist/ subdirectory's nested package.json.

Impact

• npm will fail to resolve workspace:* if someone installs from source
• The dist folder may not be self-contained for installation
• If workspace:* is interpreted literally, it could resolve to an unintended version

Root Cause

This likely occurs when the build process copies a workspace-inherited package.json into dist/ without transforming workspace protocols to registry versions.

Recommendation

1. Ensure the build process transforms workspace:* references to explicit versions before publishing
2. Add a CI check that validates dist/package.json contains no workspace protocols
3. Consider excluding dist/package.json from published artifacts entirely

References

• File: dist/package.json (inside npm package)
• Build configuration should resolve workspace deps before publishing