chore(repo): remove populate-storage scripts, consolidate into nx-release

[FrozenPandaz]

Current Behavior

• populate-storage.js and run-populate-storage.mjs are dead code — env vars set in the script don't propagate to the separate nx-release Nx task
• global-setup.ts has a broken import of the deleted runLocalRelease function
• A single nx-release target handles both local (verdaccio) and real (npm) releases, meaning it gets pulled into CI via affected

Expected Behavior

• Dead populate-storage scripts removed; populate-local-registry-storage delegates to nx-release via dependsOn
• nx-release is local-only (verdaccio). A new nx-release-npm target handles real npm publishes (--local false)
• publish.yml uses nx-release-npm instead of calling pnpm nx-release directly
• nx-release.ts waits for the local registry via waitForLocalRegistry() before publishing
• populate-local-registry-storage cache is busted to pick up the new task graph

Related Issue(s)

Fixes #34743

[netlify]

✅ Deploy Preview for nx-dev ready!

Name	Link
🔨 Latest commit	cd7c0e5
🔍 Latest deploy log	https://app.netlify.com/projects/nx-dev/deploys/69b494fc4b2ff7000849fb91
😎 Deploy Preview	https://deploy-preview-34814--nx-dev.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for nx-docs ready!

Name	Link
🔨 Latest commit	cd7c0e5
🔍 Latest deploy log	https://app.netlify.com/projects/nx-docs/deploys/69b494fc1587b900087356f2
😎 Deploy Preview	https://deploy-preview-34814--nx-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit cd7c0e5

Command	Status	Duration	Result
nx affected --targets=lint,test,build,e2e,e2e-c...	❌ Failed	11m 41s	View ↗
nx run-many -t check-imports check-lock-files c...	✅ Succeeded	3m 39s	View ↗
nx-cloud record -- nx-cloud conformance:check	✅ Succeeded	8s	View ↗
nx-cloud record -- nx format:check	✅ Succeeded	1s	View ↗
nx-cloud record -- nx sync:check	✅ Succeeded	<1s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-03-13 23:08:34 UTC

[graphite-app]

Spawning verdaccio with detached: true without calling unref() will prevent the parent process from exiting until the child exits, defeating the purpose of background execution. Additionally, calling kill() on line 67 may not properly terminate a detached process.

Fix by either:

1. Removing detached: true if the process should be tied to parent lifecycle
2. Or calling verdaccioProcess.unref() after spawn and using process.kill(-verdaccioProcess.pid) to kill the process group:

verdaccioProcess = spawn(..., { stdio: 'ignore', detached: true });
verdaccioProcess.unref();

// In teardown:
if (verdaccioProcess && verdaccioProcess.pid) {
  process.kill(-verdaccioProcess.pid);
}

Spotted by Graphite



Is this helpful? React 👍 or 👎 to let us know.

[nx-cloud]

Important

At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.

Nx Cloud has identified a possible root cause for your failed CI:

We believe this failure is an environment artifact ordering issue rather than a defect introduced by the PR. The nx.json cache-bust increment invalidated all cached task outputs, and the CI runner attempted react-native:build-base before @nx/nx had been compiled, leaving the required .d.ts files absent. Re-running the pipeline should resolve this without any code changes.

No code changes were suggested for this issue.

Trigger a rerun:

View detailed reasoning on Nx Cloud ↗

🔔 Heads up, your workspace has pending recommendations ↗ to auto-apply fixes for similar failures.

_{🎓 Learn more about Self-Healing CI on nx.dev}

[graphite-app]

Race condition: Multiple overlapping fetch requests can occur if the async fetch takes longer than 50ms. Each interval tick starts a new async operation without waiting for previous ones to complete. This could spam the registry with requests during startup.

const interval = setInterval(async () => {
  try {
    const response = await fetch(registryUrl);
    if (response.ok) {
      clearInterval(interval);
      clearTimeout(timeout);
      console.log('Local registry is ready.');
      resolve();
    }
  } catch {
    // Registry not up yet
  }
}, 50);

Fix by using a flag to prevent concurrent checks:

let checking = false;
const interval = setInterval(async () => {
  if (checking) return;
  checking = true;
  try {
    const response = await fetch(registryUrl);
    if (response.ok) {
      clearInterval(interval);
      clearTimeout(timeout);
      console.log('Local registry is ready.');
      resolve();
    }
  } catch {
    // Registry not up yet
  } finally {
    checking = false;
  }
}, 50);

Suggested change

	const interval = setInterval(async () => {
	try {
	const response = await fetch(registryUrl);
	if (response.ok) {
	clearInterval(interval);
	clearTimeout(timeout);
	console.log('Local registry is ready.');
	resolve();
	}
	} catch {
	// Registry not up yet
	}
	}, 50);
	let checking = false;
	const interval = setInterval(async () => {
	if (checking) return;
	checking = true;
	try {
	const response = await fetch(registryUrl);
	if (response.ok) {
	clearInterval(interval);
	clearTimeout(timeout);
	console.log('Local registry is ready.');
	resolve();
	}
	} catch {
	// Registry not up yet
	} finally {
	checking = false;
	}
	}, 50);

Spotted by Graphite



Is this helpful? React 👍 or 👎 to let us know.

[graphite-app]

Command string injection vulnerability: publishVersion comes from process.env.PUBLISHED_VERSION without validation and is directly interpolated into a shell command. If an attacker controls this environment variable, they can execute arbitrary commands.

const releaseCommand = `pnpm nx-release --local ${publishVersion}`;

Fix by passing as a proper argument array or validating the input:

const publishVersion = process.env.PUBLISHED_VERSION ?? 'major';
if (!/^(major|minor|patch|\d+\.\d+\.\d+)$/.test(publishVersion)) {
  throw new Error(`Invalid PUBLISHED_VERSION: ${publishVersion}`);
}
const releaseCommand = `pnpm nx-release --local ${publishVersion}`;

Suggested change

	const releaseCommand = `pnpm nx-release --local ${publishVersion}`;
	console.log(`> ${releaseCommand}`);
	const publishVersion = process.env.PUBLISHED_VERSION ?? 'major';
	if (!/^(major|minor|patch|\d+\.\d+\.\d+)$/.test(publishVersion)) {
	throw new Error(`Invalid PUBLISHED_VERSION: ${publishVersion}`);
	}
	const releaseCommand = `pnpm nx-release --local ${publishVersion}`;
	console.log(`> ${releaseCommand}`);

Spotted by Graphite



Is this helpful? React 👍 or 👎 to let us know.