From 5af824cc89504fb80fd70ab67c1d5eed7e0f870c Mon Sep 17 00:00:00 2001 From: Max de Dumast Date: Fri, 15 May 2026 10:00:29 +0100 Subject: [PATCH] docs: stop instructing readers to npm install the unpublished package MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The README, SYNC docs, and example CI scripts told readers to run `npm install -g deepl-cli`, but no package exists under that name on the public npm registry. Following those instructions today would either fail or — if a third party publishes under that name first — install untrusted code. Replace the speculative install commands with the actual working path (install from source via `git clone … && npm ci && npm run build && npm link`) and add a security note in the README explaining the situation until an official scoped package is published. No code changes; docs and example shell scripts only. --- README.md | 20 +++++++++++++++----- docs/SYNC.md | 17 ++++++++++++++--- examples/05-document-translation.sh | 2 +- examples/12-cost-transparency.sh | 6 +----- examples/18-cicd-integration.sh | 6 +++++- examples/31-sync-ci.sh | 17 ++++++++++++++--- examples/README.md | 2 +- 7 files changed, 51 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 020582f..be0f161 100644 --- a/README.md +++ b/README.md @@ -80,11 +80,21 @@ deepl --version > - **Linux**: `python3`, `make`, and `gcc` (`apt install python3 make gcc g++`) > - **Windows**: Visual Studio Build Tools or `windows-build-tools` (`npm install -g windows-build-tools`) -### From npm (not yet published) - -An npm package is not yet published; install from source until then. - -> **CI examples below** (and generated hook output) assume a published npm package; source-installed users should substitute the source-install path. +### From npm + +The npm package has not been published yet. Until it is, install from source +using the **From Source** instructions above. The CI examples in this README, +in [`docs/SYNC.md`](docs/SYNC.md), and in [`examples/`](examples/) install from +the GitHub repository directly (`git clone … && npm ci && npm run build && +npm link`) so they work today without a published package; they can be +shortened to `npm install -g deepl-cli` once the package is on the public +registry. + +> **Security note.** Do not run `npm install -g deepl-cli` against the public +> registry today — there is no official package under that name yet, so any +> match would be a third-party publish. Use the source install (or pin a +> specific commit / signed release tag of this repository in CI) until an +> official scoped package is announced. ## 🚀 Quick Start diff --git a/docs/SYNC.md b/docs/SYNC.md index 624ec78..5ea1ce4 100644 --- a/docs/SYNC.md +++ b/docs/SYNC.md @@ -808,7 +808,12 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - run: npm install -g deepl-cli + # The npm package is not yet published; install from source. + # Pin to a specific tag/commit for reproducible builds. + - name: Install DeepL CLI + run: | + git clone --depth 1 https://github.com/DeepLcom/deepl-cli.git /tmp/deepl-cli + cd /tmp/deepl-cli && npm ci && npm run build && npm link - name: Check translations are up to date run: deepl sync --frozen env: @@ -832,7 +837,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - run: npm install -g deepl-cli + - name: Install DeepL CLI + run: | + git clone --depth 1 https://github.com/DeepLcom/deepl-cli.git /tmp/deepl-cli + cd /tmp/deepl-cli && npm ci && npm run build && npm link - name: Sync and commit translations run: | git config user.name "github-actions[bot]" @@ -862,8 +870,11 @@ The `.deepl-sync.lock` file is only staged when this sync run actually wrote an i18n-check: stage: test image: node:20 + before_script: + # The npm package is not yet published; install from source. + - git clone --depth 1 https://github.com/DeepLcom/deepl-cli.git /tmp/deepl-cli + - cd /tmp/deepl-cli && npm ci && npm run build && npm link && cd - script: - - npm install -g deepl-cli - deepl sync --frozen variables: DEEPL_API_KEY: $DEEPL_API_KEY diff --git a/examples/05-document-translation.sh b/examples/05-document-translation.sh index 80c3dd6..0fbdb45 100755 --- a/examples/05-document-translation.sh +++ b/examples/05-document-translation.sh @@ -83,7 +83,7 @@ Key Features: - Real-time file watching Installation: -npm install -g deepl-cli +See the project README for installation instructions. Usage: deepl translate "Hello, world!" --to es diff --git a/examples/12-cost-transparency.sh b/examples/12-cost-transparency.sh index 3e1955e..55eb731 100755 --- a/examples/12-cost-transparency.sh +++ b/examples/12-cost-transparency.sh @@ -86,11 +86,7 @@ echo " Creating a technical document with code..." cat > "$TEMP_DIR/technical.md" << 'EOF' # Installation Guide -Run the following command: - -```bash -npm install deepl-cli -``` +Install DeepL CLI from source (see the project README). Then configure your API key: `deepl auth set-key YOUR_KEY` EOF diff --git a/examples/18-cicd-integration.sh b/examples/18-cicd-integration.sh index 50b186b..0c2c3b5 100755 --- a/examples/18-cicd-integration.sh +++ b/examples/18-cicd-integration.sh @@ -138,8 +138,12 @@ jobs: with: node-version: '20' + # The npm package is not yet published; install from source. + # Pin to a tag/commit for reproducible builds in production. - name: Install DeepL CLI - run: npm install -g deepl-cli + run: | + git clone --depth 1 https://github.com/DeepLcom/deepl-cli.git /tmp/deepl-cli + cd /tmp/deepl-cli && npm ci && npm run build && npm link - name: Configure API Key env: diff --git a/examples/31-sync-ci.sh b/examples/31-sync-ci.sh index 1b7b76c..088a6f3 100755 --- a/examples/31-sync-ci.sh +++ b/examples/31-sync-ci.sh @@ -117,7 +117,11 @@ cat << 'WORKFLOW' runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - run: npm install -g deepl-cli + # The npm package is not yet published; install from source. + - name: Install DeepL CLI + run: | + git clone --depth 1 https://github.com/DeepLcom/deepl-cli.git /tmp/deepl-cli + cd /tmp/deepl-cli && npm ci && npm run build && npm link - name: Check translations are up to date run: deepl sync --frozen env: @@ -132,8 +136,11 @@ cat << 'GITLAB' i18n-check: stage: test image: node:20 + before_script: + # The npm package is not yet published; install from source. + - git clone --depth 1 https://github.com/DeepLcom/deepl-cli.git /tmp/deepl-cli + - (cd /tmp/deepl-cli && npm ci && npm run build && npm link) script: - - npm install -g deepl-cli - deepl sync --frozen variables: DEEPL_API_KEY: $DEEPL_API_KEY @@ -158,7 +165,11 @@ cat << 'AUTOSYNC' runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - run: npm install -g deepl-cli + # The npm package is not yet published; install from source. + - name: Install DeepL CLI + run: | + git clone --depth 1 https://github.com/DeepLcom/deepl-cli.git /tmp/deepl-cli + cd /tmp/deepl-cli && npm ci && npm run build && npm link - name: Sync translations run: deepl sync --format json env: diff --git a/examples/README.md b/examples/README.md index e8fee41..896019f 100644 --- a/examples/README.md +++ b/examples/README.md @@ -73,7 +73,7 @@ This directory contains practical, real-world examples of using the DeepL CLI. All examples assume you have: -1. Installed DeepL CLI (`npm install -g deepl-cli` or `npm link`) +1. Installed DeepL CLI from source (see [`README.md` → From Source](../README.md#from-source); the npm package is not yet published) 2. A DeepL API key configured (`deepl auth set-key YOUR_API_KEY`) ## Running Examples