4

I am not sure weather it is possible or not.

Is it possible to prevent publish when npm publish ran directly and make it accessible only via scripts.

User must be denied when npm publish is executed directly. i.e. User mush be able to publish via any scripts or npm run <script>

or

is there a way to tell npm only to publish <folder>/ or to look for a tarball when published.

Sibiraj
  • 4,486
  • 7
  • 33
  • 57
  • Prevent by what? Everything that’s done on a client side could be easily changed or faked. The only place you can really control this is CI where you can define that user has no right to publish but the CI worker has – smnbbrv Jul 23 '18 at 18:30
  • I was wondering if there is any possible way. to prevent accidental publush. Just to be safe. – Sibiraj Jul 23 '18 at 18:35
  • Mark the package as private. – zero298 Jul 23 '18 at 18:48

3 Answers3

15

If I mark it private I won't be able to publish at all. My main intention was to prevent accidental publishes.

NPM team gave a simple workaround which is awsome.

package.json

{
  "prepublishOnly": "node prepublish.js",
  "release": "RELEASE_MODE=true npm publish"
}

prepublish.js

const RELEASE_MODE = !!(process.env.RELEASE_MODE)

if (!RELEASE_MODE) {
    console.log('Run `npm run release` to publish the package')
    process.exit(1) //which terminates the publish process
}
Sibiraj
  • 4,486
  • 7
  • 33
  • 57
  • Explanation: `prepublishOnly` is an npm state which is [guaranteed](https://docs.npmjs.com/cli/v8/using-npm/scripts) to run before `publish`. If someone inadvertently runs `npm publish`, `prepublish.js` will be executed and fail because `RELEASE_MODE` was not set. Conversely, running `npm run release` will properly set the env var, thus making the prepublish stage pass and enabling publish. – Lucio Paiva Jan 08 '22 at 01:39
4

Mark the package as private:

If you set "private": true in your package.json, then npm will refuse to publish it.

This is a way to prevent accidental publication of private repositories. If you would like to ensure that a given package is only ever published to a specific registry (for example, an internal registry), then use the publishConfig dictionary described below to override the registry config param at publish-time.

{
  "name": "some",
  "version": "1.0.0",
  "private": true
}

If you are trying to force something to happen before publishing, leverage the prepublish or prepublishOnly npm-script.

phoenix
  • 7,988
  • 6
  • 39
  • 45
zero298
  • 25,467
  • 10
  • 75
  • 100
  • Thanks. Making it private won't let me publish at all. I referred prepublish to, but is it possible to force npm to publish only either a `tarball` or a `dir` – Sibiraj Jul 23 '18 at 18:56
  • @Sibiraj I'm not sure what you mean. As far as I know, those are the only things that `npm publish` *can* publish. – zero298 Jul 23 '18 at 19:11
  • thanks. Got that figured out. I missed to read the last line in ur answer. npm team gave me the same solution, which is the same as use said. Thanks – Sibiraj Aug 02 '18 at 10:46
1

Yes, we can restrict npm to prevent accidental publish by making private: true in package.json

You can have script for publish also In your package.json

{
     "scripts": {
          "publish:mypackages": "npm publish folder1/file1.tgz --registry http://custom-registry..."
     }
}

Now in cmd: npm run publish:mypackages

It publishes the given tarball to the registry you have given.

Parameshwar Ande
  • 807
  • 1
  • 8
  • 16