Ghost v0.3.1 GitHub release: tag exists but was never published to npm

[byapparov]

Context

While investigating the v0.3.2 release today, I confirmed that @aictrl/cli@0.3.1 was never actually published to npm, even though:

• The v0.3.1 git tag exists on main
• The GitHub release page still shows "Latest" (or did until v0.3.2 superseded it)
• The CHANGELOG documents the 0.3.1 entry for GLM-5.1 support
• The chore: bump @aictrl/cli to 0.3.1 commit was merged

But:

$ npm view @aictrl/cli versions
[ ..., '0.2.0', '0.3.0', '0.3.2' ]

No 0.3.1. Users doing npm install @aictrl/cli@0.3.1 get npm error 404 Not Found.

Why

The publish workflow failed in 18s on 2026-04-03 with the same MODULE_NOT_FOUND: promise-retry bug that bit us today (run 23961886096). Nobody noticed because nothing pages on a failed release workflow.

Root cause and permanent fix landed in #49. But the ghost v0.3.1 state is still there and will confuse anyone who looks at release history or tries to install a specific version.

Impact

• Anyone following the CHANGELOG thinks GLM-5.1 support shipped in 0.3.1 and wonders why npm install @aictrl/cli@0.3.1 404s
• The GLM-5.1 feature (the intended 0.3.1 content) is actually in 0.3.2, bundled together with the optionalDependencies fix from fix: refresh platform binary optionalDependencies on every release #46
• Version history looks broken: 0.2.0 → 0.3.0 → 0.3.2 with a phantom 0.3.1

Options

1. Delete the v0.3.1 git tag and GitHub release. Cleanest for new eyes — there's just no 0.3.1 in the history. Downside: destroys the historical record that it was attempted. Also some external systems (changelogs, feed readers) may have already indexed it.
2. Edit the v0.3.1 release body to add a "⚠️ NEVER PUBLISHED" banner pointing users at 0.3.2. Leaves the historical record intact. Downside: npm install @aictrl/cli@0.3.1 still 404s — we can't retroactively fix npm.
3. Re-publish v0.3.1 to npm by cutting a new release tag pointing at the old commit. Downside: the old commit predates the optionalDependencies fix from fix: refresh platform binary optionalDependencies on every release #46, so it would re-ship the broken @aictrl/cli-linux-x64: 0.2.0 pin that we just fixed. This is the wrong choice. Do not do it.

Recommend option 2 — keeps history honest without actively misleading anyone.

Suggested banner

> ⚠️ **This release was never actually published to npm.**
> The publish workflow failed with a `MODULE_NOT_FOUND: promise-retry` error
> caused by [npm/cli#9008](https://github.com/npm/cli/pull/9008), which
> silently broke the release pipeline. The GLM-5.1 support intended for
> this release ships in [v0.3.2](https://github.com/aictrl-dev/cli/releases/tag/v0.3.2),
> which also contains the platform binary `optionalDependencies` fix from #46
> and the workflow fix from #49.

Related

• v0.3.2 release saga: fix: refresh platform binary optionalDependencies on every release #46, chore: bump @aictrl/cli to 0.3.2 #47, fix: activate pinned npm via corepack in publish workflow #48, fix: pin publish workflow npm to 11.10.1 (pre promise-retry removal) #49
• Root cause fix: fix: pin publish workflow npm to 11.10.1 (pre promise-retry removal) #49

[byapparov]

Done in https://github.com/aictrl-dev/cli/releases/tag/v0.3.1 — added the never-published banner pointing at v0.3.2 (option 2 from the issue).