-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check package permission on the registry #4
Comments
During the npm release I ended up having an error: npm ERR! This package has been marked as private
npm ERR! Remove the 'private' field from the package.json to publish it. This could be prevented within It should break with: {
+ "private": "true"
} |
Maybe |
@pvdlg according to https://docs.npmjs.com/files/package.json#private:
I believe |
But in the context of semantic-release you can set If you throw an error when Having a package with |
This is not true, this is how we install our private package which are not released on any registries. We use I agree that a warning would be sufficient as we may want to tag a GitLab/GitHub version. |
What I'm saying is that if My point is that there is no reason to throw an error is |
This just bit me:
|
okay
|
@travi @gr2m @babblebey I just realized, I can't run this check on the first publish because the package won't exist in npm yet. Therefore, I should do something like
But |
One way we could go about this is.... Conditionally run this permission check based on existence of the package in registry.. I haven't figured exactly how but I believe we could do a search before-hand to figure whether the package exists in registry. I found the |
@babblebey searching for private packages won't work if the token doesn't have access, it will just look like the package doesn't exist. That's why we need to use |
Argh, turns out npm's API is insufficient for this right now. |
Hmmm, I could make a check that correctly errors out on a classic token with insufficient permission, but allows any granular token for now; then if npm provides a way to properly check the token's permissions someday, we could update the verification logic. Here's what the verify logic would be:
Thoughts? @travi @gr2m @babblebey |
Currently we only check if the user is authenticated on the configured registry.
But if a user set a valid
NPM_TOKEN
, that doesn't have the permission to deploy the current package the release will fail during the publish phase. Similarly if the package name is already taken the release will fail.To avoid that we should check in the
verifyConditions
if the package exists, and if it does, make sure the user hasread-write
access to the package.Unfortunately the npm-registry-client doesn't implement the method. So it would have to be done with
npm access ls-collaborators <@scope/package>
.In addition it would be great, in case of a
restricted
package to be able to check if the organization is private and paid. But I'm didn't find a way to do that.During publish if the organization is not private and paid, the registry returns a
402
error.The text was updated successfully, but these errors were encountered: