Login/Register
Prevent `npm publish` when ran directly
Asked Answered
Solved node.jsnpmnpm-publish
K

3

5

I am not sure weather it is possible or not.

Is it possible to prevent publish when npm publish ran directly and make it accessible only via scripts.

User must be denied when npm publish is executed directly. i.e. User mush be able to publish via any scripts or npm run <script>

or

is there a way to tell npm only to publish <folder>/ or to look for a tarball when published.

Klina answered 23/7, 2018 at 18:11 Comment(3)
Prevent by what? Everything that’s done on a client side could be easily changed or faked. The only place you can really control this is CI where you can define that user has no right to publish but the CI worker hasMotion
I was wondering if there is any possible way. to prevent accidental publush. Just to be safe.Klina
Mark the package as private.Dispute
K
16

If I mark it private I won't be able to publish at all. My main intention was to prevent accidental publishes.

NPM team gave a simple workaround which is awsome.

package.json

{
  "prepublishOnly": "node prepublish.js",
  "release": "RELEASE_MODE=true npm publish"
}

prepublish.js

const RELEASE_MODE = !!(process.env.RELEASE_MODE)

if (!RELEASE_MODE) {
    console.log('Run `npm run release` to publish the package')
    process.exit(1) //which terminates the publish process
}
Klina answered 2/8, 2018 at 10:44 Comment(1)
Explanation: prepublishOnly is an npm state which is guaranteed to run before publish. If someone inadvertently runs npm publish, prepublish.js will be executed and fail because RELEASE_MODE was not set. Conversely, running npm run release will properly set the env var, thus making the prepublish stage pass and enabling publish.Stoneblind
D
4

Mark the package as private:

If you set "private": true in your package.json, then npm will refuse to publish it.

This is a way to prevent accidental publication of private repositories. If you would like to ensure that a given package is only ever published to a specific registry (for example, an internal registry), then use the publishConfig dictionary described below to override the registry config param at publish-time.

{
  "name": "some",
  "version": "1.0.0",
  "private": true
}

If you are trying to force something to happen before publishing, leverage the prepublish or prepublishOnly npm-script.

Dispute answered 23/7, 2018 at 18:49 Comment(3)
Thanks. Making it private won't let me publish at all. I referred prepublish to, but is it possible to force npm to publish only either a tarball or a dirKlina
@Klina I'm not sure what you mean. As far as I know, those are the only things that npm publish can publish.Dispute
thanks. Got that figured out. I missed to read the last line in ur answer. npm team gave me the same solution, which is the same as use said. ThanksKlina
D
1

Yes, we can restrict npm to prevent accidental publish by making private: true in package.json

You can have script for publish also In your package.json

{
     "scripts": {
          "publish:mypackages": "npm publish folder1/file1.tgz --registry http://custom-registry..."
     }
}

Now in cmd: npm run publish:mypackages

It publishes the given tarball to the registry you have given.

Dendriform answered 31/7, 2018 at 13:41 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.