Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@lerna/publish
Advanced tools
@lerna/publish
Publish packages in the current project
lerna publish # publish packages that have changed since the last release
lerna publish from-git # explicitly publish packages tagged in current commit
When run, this command does one of the following things:
lerna version
behind the scenes).
from-git
).Lerna will never publish packages which are marked as private (
"private": true
in thepackage.json
).
Note: to publish scoped packages, you need to add the following to each package.json
:
"publishConfig": {
"access": "public"
}
from-git
In addition to the semver keywords supported by lerna version
,
lerna publish
also supports the from-git
keyword.
This will identify packages tagged by lerna version
and publish them to npm.
This is useful in CI scenarios where you wish to manually increment versions,
but have the package contents themselves consistently published by an automated process.
lerna publish
supports all of the options provided by lerna version
in addition to the following:
--canary
--npm-client <client>
--npm-tag <dist-tag>
--no-verify-access
--no-verify-registry
--registry <url>
--temp-tag
--yes
--canary
lerna publish --canary
# 1.0.0 => 1.0.1-alpha.0+${SHA} of packages changed since the previous commit
# a subsequent canary publish will yield 1.0.1-alpha.1+${SHA}, etc
lerna publish --canary --preid beta
# 1.0.0 => 1.0.1-beta.0+${SHA}
# The following are equivalent:
lerna publish --canary minor
lerna publish --canary preminor
# 1.0.0 => 1.1.0-alpha.0+${SHA}
When run with this flag, lerna publish
publishes packages in a more granular way (per commit). Before publishing to npm, it creates the new version
tag by taking the current version
, bumping it to the next minor version, adding the provided meta suffix (defaults to alpha
) and appending the current git sha (ex: 1.0.0
becomes 1.1.0-alpha.81e3b443
).
The intended use case for this flag is a per commit level release or nightly release.
--npm-client <client>
Must be an executable that knows how to publish packages to an npm registry.
The default --npm-client
is npm
.
lerna publish --npm-client yarn
May also be configured in lerna.json
:
{
"command": {
"publish": {
"npmClient": "yarn"
}
}
}
--npm-tag <dist-tag>
lerna publish --npm-tag next
When run with this flag, lerna publish
will publish to npm with the given npm dist-tag (defaults to latest
).
This option can be used to publish a prerelease
or beta
version under a non-latest
dist-tag, helping consumers avoid automatically upgrading to prerelease-quality code.
Note: the
latest
tag is the one that is used when a user runsnpm install my-package
. To install a different tag, a user can runnpm install my-package@prerelease
.
--no-verify-access
By default, lerna
will verify the logged-in npm user's access to the packages about to be published. Passing this flag will disable that check.
Please use with caution
--no-verify-registry
By default, lerna
will verify that the npm registry is reachable and the current npm user is authenticated. Passing this flag will disable that check.
Please use with caution
--registry <url>
When run with this flag, forwarded npm commands will use the specified registry for your package(s).
This is useful if you do not want to explicitly set up your registry configuration in all of your package.json files individually when e.g. using private registries.
--temp-tag
When passed, this flag will alter the default publish process by first publishing
all changed packages to a temporary dist-tag (lerna-temp
) and then moving the
new version(s) to the default dist-tag (latest
).
This is not generally necessary, as Lerna will publish packages in topological order (all dependencies before dependents) by default.
--yes
lerna publish --canary --yes
# skips `Are you sure you want to publish the above changes?`
When run with this flag, lerna publish
will skip all confirmation prompts.
Useful in Continuous integration (CI) to automatically answer the publish confirmation prompt.
--skip-npm
Call lerna version
directly, instead.
3.2.0 (2018-08-28)
--no-git-tag-version
passed (bd948cc), closes #1613--help
output (#1612) (2ab62c1), closes #1608<a name="3.1.4"></a>
FAQs
Publish packages in the current project
The npm package @lerna/publish receives a total of 375,760 weekly downloads. As such, @lerna/publish popularity was classified as popular.
We found that @lerna/publish demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.