From 487a3027c015495ae22069b343db6714208ca48b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Lorber?= <slorber@users.noreply.github.com>
Date: Thu, 14 May 2026 11:02:36 +0200
Subject: [PATCH] Explicitly disable caches in sensitive publish workflows

---
 docs/advanced-usage.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/advanced-usage.md b/docs/advanced-usage.md
index 2671a6ad..a234fbda 100644
--- a/docs/advanced-usage.md
+++ b/docs/advanced-usage.md
@@ -401,6 +401,7 @@ steps:
   with:
     node-version: '24.x'
     registry-url: 'https://registry.npmjs.org'
+    package-manager-cache: false # Prevent cache poisoning issues
 - run: npm ci
 - run: npm publish
   env:
@@ -408,6 +409,7 @@ steps:
 - uses: actions/setup-node@v6
   with:
     registry-url: 'https://npm.pkg.github.com'
+    package-manager-cache: false # Prevent cache poisoning issues
 - run: npm publish
   env:
     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -421,6 +423,7 @@ steps:
   with:
     node-version: '24.x'
     registry-url: <registry url>
+    package-manager-cache: false # Prevent cache poisoning issues
 - run: yarn install --frozen-lockfile
 - run: yarn publish
   env:
@@ -428,6 +431,7 @@ steps:
 - uses: actions/setup-node@v6
   with:
     registry-url: 'https://npm.pkg.github.com'
+    package-manager-cache: false # Prevent cache poisoning issues
 - run: yarn publish
   env:
     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -504,6 +508,7 @@ You must also configure a **Trusted Publisher** in npm for your package/scope th
         with:
           node-version: '24'
           registry-url: 'https://registry.npmjs.org'
+          package-manager-cache: false # Prevent cache poisoning issues
 
       - run: npm ci
       - run: npm run build --if-present