Option to disable 2FA

[wessberg]

Description

With np v5.0.0, 2FA is enabled by default for new packages. However, no option is exposed to disable 2FA.

Lines 198-204 in np/index.js enables 2FA if the package doesn't exist in the registry and if it isn't private.

2FA is definitely the right default, and I encourage everyone to use it. The thing is, np comes with a lot of great defaults, but it also comes with ways of opting out of them. For example:

--no-cleanup
--no-tests
--yolo
--no-publish
--no-yarn
--no-release-draft

In the same vein, something like --no-2fa should be possible. Currently it feels like the odd omission from what is otherwise a quite flexible configuration.

Possible implementation

I suggest exposing a --no-2fa CLI argument that avoids forcing 2FA for new packages.

[mikehardy]

In my case it is somehow not detecting that my package already exists, and is public. So it actually publishes but then blows before it can push tags or open the release draft. Odd error handling

[itaisteinherz]

@mikehardy Can you you open a separate issue detailing the specific problem you're experiencing?

[mikehardy]

Sure thing - will be a couple days though, I lost the output on the last release I made, which would have made an ideal case, but I release that module every couple days

[mikehardy]

opened fresh issue as instructed #427 - would be nice to be able to disable 2FA so I could push through, thus my interest in this issue

[verekia]

An other use case is for packages that are published by different people, who cannot use 2FA.
Yes it is possible to publish it first with npm publish and then use np, but an option would be nice :)

[Albert-Gao]

The current workaround is np --no-publish && npm publish

[romaricpascal]

I think I've got np to bypass it with this .np-config.js file:

module.exports = {
  // Avoids `np` trying to set 2FA again and again
  // after publishing to NPM
  exists: true
}

Without that, the 2FA gets triggered, but with it nope. Hopefully:

• it actually does what I think it does
• it doesn't have other side effects

[rstacruz]

Another workaround: To stop np from trying to enable 2FA, set a registry in the publishConfig... even if it's the default npm registry.

/* package.json */
{
  "publishConfig": {
    "registry": "https://registry.npmjs.org/"
  }
}

Context: I also tried to use np on an existing package with a scoped name (eg, @rstacruz/package-name). Like the other commenters here, np somehow fails to know that the package already exists.