Summary
vp create @org:name fails with No `createConfig.templates` manifest in @org/create — `@org:name` requires one. for org packages published to GitHub Packages (npm.pkg.github.com), even though the published tarball's package.json contains a valid createConfig.templates.
Root cause: vp create reads createConfig only from the registry packument (readOrgManifest → fetchPackument → packument.versions[resolved].createConfig in dist/create/bin.js), and GitHub Packages strips custom fields from packument version metadata — the field survives in the tarball but is absent from the metadata document. Public npmjs.org preserves custom fields, which is why this only bites alternative registries.
Environment
- vite-plus
0.1.24, Node 24.x, macOS + Linux (reproduced on both)
- Org package
@daikin-dsv/create published to GitHub Packages with @daikin-dsv:registry=https://npm.pkg.github.com in .npmrc
Evidence
Version metadata returned by GitHub Packages for the published version (authenticated GET https://npm.pkg.github.com/@daikin-dsv/create):
fields present: _hasShrinkwrap, _id, _nodeVersion, _npmUser, _npmVersion, author, bugs,
description, directories, dist, files, gitHead, homepage, license, name, readme,
repository, version
createConfig present: false <-- stripped by the registry
The same version's tarball package.json (via npm pack @daikin-dsv/create):
createConfig present: true -> templates: ["template", "template-examples"]
So any org package on GitHub Packages will always fail the validateManifest check (raw.createConfig is undefined → null → the error above), regardless of what was published. Registries aren't required to preserve arbitrary custom fields in packument version documents, so relying on them there is fragile by design (same field-trimming happens with e.g. pacote.manifest() without fullMetadata).
Two adjacent issues found while tracing this
- Auth retry gate misses GitHub Packages 404s.
fetchNpmResource sends the first request unauthenticated and only retries with the .npmrc token on 401/403. GitHub Packages frequently answers unauthenticated metadata reads with 404, which fetchPackument maps to null — producing the same "no manifest" error without the token ever being sent. Consider sending credentials proactively when the scope's registry has a matching //host/:_authToken, or retrying on 404 for scope-mapped registries.
- The error message conflates three failure modes: package genuinely absent (404), auth-gated 404, and "package found but
createConfig missing from the packument". Printing the resolved registry URL and distinguishing "not found" from "found but no manifest field" would have made this diagnosable in seconds.
Suggested fix
When the resolved packument version lacks createConfig, fall back to downloading meta.dist.tarball (already fetched later for bundled ./ templates anyway) and reading createConfig from the tarball's package.json. That makes org templates registry-agnostic — the tarball is the one artifact every registry preserves byte-exact.
Repro
- Publish a minimal
@yourscope/create with createConfig.templates: [{name, description, template: "./templates/x"}] and a bundled templates/x/ to GitHub Packages.
@yourscope:registry=https://npm.pkg.github.com (+ authToken) in .npmrc.
vp create @yourscope:x my-app → No `createConfig.templates` manifest in @yourscope/create.
curl -H "Authorization: Bearer <PAT>" https://npm.pkg.github.com/@yourscope/create | jq '.versions[."dist-tags".latest? // "<version>"].createConfig' → null, while the tarball contains the field.
Happy to provide more detail — we've worked around it for now by adding a bin to our @org/create (the tarball-based npm create @org convention is unaffected), but we'd love vp create @org:name to work on GitHub Packages.
Summary
vp create @org:namefails withNo `createConfig.templates` manifest in @org/create — `@org:name` requires one.for org packages published to GitHub Packages (npm.pkg.github.com), even though the published tarball'spackage.jsoncontains a validcreateConfig.templates.Root cause:
vp createreadscreateConfigonly from the registry packument (readOrgManifest→fetchPackument→packument.versions[resolved].createConfigindist/create/bin.js), and GitHub Packages strips custom fields from packument version metadata — the field survives in the tarball but is absent from the metadata document. Public npmjs.org preserves custom fields, which is why this only bites alternative registries.Environment
0.1.24, Node 24.x, macOS + Linux (reproduced on both)@daikin-dsv/createpublished to GitHub Packages with@daikin-dsv:registry=https://npm.pkg.github.comin.npmrcEvidence
Version metadata returned by GitHub Packages for the published version (authenticated
GET https://npm.pkg.github.com/@daikin-dsv/create):The same version's tarball
package.json(vianpm pack @daikin-dsv/create):So any org package on GitHub Packages will always fail the
validateManifestcheck (raw.createConfigis undefined →null→ the error above), regardless of what was published. Registries aren't required to preserve arbitrary custom fields in packument version documents, so relying on them there is fragile by design (same field-trimming happens with e.g.pacote.manifest()withoutfullMetadata).Two adjacent issues found while tracing this
fetchNpmResourcesends the first request unauthenticated and only retries with the.npmrctoken on 401/403. GitHub Packages frequently answers unauthenticated metadata reads with 404, whichfetchPackumentmaps tonull— producing the same "no manifest" error without the token ever being sent. Consider sending credentials proactively when the scope's registry has a matching//host/:_authToken, or retrying on 404 for scope-mapped registries.createConfigmissing from the packument". Printing the resolved registry URL and distinguishing "not found" from "found but no manifest field" would have made this diagnosable in seconds.Suggested fix
When the resolved packument version lacks
createConfig, fall back to downloadingmeta.dist.tarball(already fetched later for bundled./templates anyway) and readingcreateConfigfrom the tarball'spackage.json. That makes org templates registry-agnostic — the tarball is the one artifact every registry preserves byte-exact.Repro
@yourscope/createwithcreateConfig.templates: [{name, description, template: "./templates/x"}]and a bundledtemplates/x/to GitHub Packages.@yourscope:registry=https://npm.pkg.github.com(+ authToken) in.npmrc.vp create @yourscope:x my-app→No `createConfig.templates` manifest in @yourscope/create.curl -H "Authorization: Bearer <PAT>" https://npm.pkg.github.com/@yourscope/create | jq '.versions[."dist-tags".latest? // "<version>"].createConfig'→null, while the tarball contains the field.Happy to provide more detail — we've worked around it for now by adding a
binto our@org/create(the tarball-basednpm create @orgconvention is unaffected), but we'd lovevp create @org:nameto work on GitHub Packages.