3

I am not sure weather it is possible or not.

Is it possible to prevent publish when npm publish ran directly and make it accessible only via scripts.

User must be denied when npm publish is executed directly. i.e. User mush be able to publish via any scripts or npm run <script>

or

is there a way to tell npm only to publish <folder>/ or to look for a tarball when published.

4

3 回答 3

10

If I mark it private I won't be able to publish at all. My main intention was to prevent accidental publishes.

NPM team gave a simple workaround which is awsome.

package.json

{
  "prepublishOnly": "node prepublish.js",
  "release": "RELEASE_MODE=true npm publish"
}

prepublish.js

const RELEASE_MODE = !!(process.env.RELEASE_MODE)

if (!RELEASE_MODE) {
    console.log('Run `npm run release` to publish the package')
    process.exit(1) //which terminates the publish process
}
于 2018-08-02T10:44:06.920 回答
3

Mark the package as private:

If you set "private": true in your package.json, then npm will refuse to publish it.

This is a way to prevent accidental publication of private repositories. If you would like to ensure that a given package is only ever published to a specific registry (for example, an internal registry), then use the publishConfig dictionary described below to override the registry config param at publish-time.

{
  "name": "some",
  "version": "1.0.0",
  "private": true
}

If you are trying to force something to happen before publishing, leverage the prepublish or prepublishOnly npm-script.

于 2018-07-23T18:49:52.733 回答
1

Yes, we can restrict npm to prevent accidental publish by making private: true in package.json

You can have script for publish also In your package.json

{
     "scripts": {
          "publish:mypackages": "npm publish folder1/file1.tgz --registry http://custom-registry..."
     }
}

Now in cmd: npm run publish:mypackages

It publishes the given tarball to the registry you have given.

于 2018-07-31T13:41:29.260 回答