libnpmpublish
Advanced tools
Programmatic API for the bits behind npm publish and unpublish
libnpmpublish is a Node.js
library for programmatically publishing and unpublishing npm packages. Give
it a manifest as an object and a tarball as a Buffer, and it'll put them on
the registry for you.
const { publish, unpublish } = require('libnpmpublish')
$ npm install libnpmpublish
opts for libnpmpublish commandslibnpmpublish uses
npm-registry-fetch. Most options
are passed through directly to that library, so please refer to its own
opts documentation for
options that can be passed in.
A couple of options of note:
opts.defaultTag - registers the published package with the given tag,
defaults to latest.
opts.access - tells the registry whether this package should be
published as public or restricted. Only applies to scoped
packages. Defaults to public.
opts.token - can be passed in and will be used as the authentication
token for the registry. For other ways to pass in auth details, see the
n-r-f docs.
opts.provenance - when running in a supported CI environment, will trigger
the generation of a signed provenance statement to be published alongside
the package. Mutually exclusive with the provenanceFile option.
opts.provenanceFile - specifies the path to an externally-generated
provenance statement to be published alongside the package. Mutually
exclusive with the provenance option. The specified file should be a
Sigstore Bundle
containing a DSSE-packaged
provenance statement.
> libpub.publish(manifest, tarData, [opts]) -> PromiseSends the package represented by the manifest and tarData to the
configured registry.
manifest should be the parsed package.json for the package being
published (which can also be the manifest pulled from a packument, a git
repo, tarball, etc.)
tarData is a Buffer of the tarball being published.
If opts.npmVersion is passed in, it will be used as the _npmVersion
field in the outgoing packument. You may put your own user-agent string in
there to identify your publishes.
If opts.algorithms is passed in, it should be an array of hashing
algorithms to generate integrity hashes for. The default is ['sha512'],
which means you end up with dist.integrity = 'sha512-deadbeefbadc0ffee'.
Any algorithm supported by your current node version is allowed -- npm
clients that do not support those algorithms will simply ignore the
unsupported hashes.
// note that pacote.manifest() and pacote.tarball() can also take
// any spec that npm can install. a folder shown here, since that's
// far and away the most common use case.
const path = '/a/path/to/your/source/code'
const pacote = require('pacote') // see: http://npm.im/pacote
const manifest = await pacote.manifest(path)
const tarData = await pacote.tarball(path)
await libpub.publish(manifest, tarData, {
npmVersion: 'my-pub-script@1.0.2',
token: 'my-auth-token-here'
}, opts)
// Package has been published to the npm registry.
> libpub.unpublish(spec, [opts]) -> PromiseUnpublishes spec from the appropriate registry. The registry in question may
have its own limitations on unpublishing.
spec should be either a string, or a valid
npm-package-arg parsed spec object. For
legacy compatibility reasons, only tag and version specs will work as
expected. range specs will fail silently in most cases.
await libpub.unpublish('lodash', { token: 'i-am-the-worst'})
//
// `lodash` has now been unpublished, along with all its versions
11.0.0-pre.0 (2024-11-26)
--ignore-scripts now applies to all lifecycle scripts, include preparenpm hook command has been removed^20.17.0 || >=22.9.0^20.17.0 || >=22.9.016b7367 #7910 publishing prerelease requires explicit tag (#7910) (@reggi)e19bff0 #7901 perf: enable compile cache if present (#7901) (@H4ad)080a0f2 #7911 remove old audit fallback request (@wraithgar)780afc5 #7855 pkg: display if any of multiple attributes exist (#7855) (@Sanderovich)ecd2d23 #7842 don't go into global mode if aliased to npmg (#7842) (@wraithgar)62c71e5 #7835 removes npm hook command (@reggi)7f541e8 #7815 make pack and exec work with git hash refs (#7815) (@milaninfy)3162620 #7831 sets node engine range to ^20.17.0 || >=22.9.0 (@reggi)4c8ba0a #7831 for @npmcli/docs sets node engine range to ^20.17.0 || >=22.9.0 (@reggi)70cd88d #7808 view: sort and truncate dist-tags (#7808) (@wraithgar)534ad77 #7795 remove unused parameters catch statements (#7795) (@btea)78293ad #7937 spdx-license-ids@3.0.2033cf580 #7937 promise-call-limit@3.0.2ef1c368 #7937 package-json-from-dist@1.0.192e6f07 #7937 npm-registry-fetch@18.0.2e32284a #7937 npm-install-checks@7.1.15dffd11 #7937 negotiator@0.6.469d9f01 #7937 make-fetch-happen@14.0.3884bbde #7937 hosted-git-info@8.0.23c74ec0 #7937 debug@4.3.7f00359f #7937 cross-spawn@7.0.6534bbe8 #7937 ci-info@4.1.08cbf1a7 #7937 @npmcli/promise-spawn@8.0.21bd39e7 #7937 @npmcli/map-workspaces@4.0.2eb6498d #7937 ansi-regex@6.1.066fc8c9 #7850 @npmcli/metavuln-calculator@8.0.17dbef6f #7850 pacote@20.0.075a3f12 #7859 remove unused deps (#7859)f36dc59 #7833 pacote@19.0.17ee15bb #7833 bump sigstore from 2.x to 3.0.0 (@bdehamer)2d530a5 #7941 tests: account for when npm is a prerelease (#7941) (@wraithgar)2c1b369 #7937 dev dependency updates (@wraithgar)6edfe2f #7937 @npmcli/template-oss@4.23.5 (@wraithgar)475285b #7920 clean up dependency graph repos (#7920) (@hashtagchris)ec57f5f #7911 fix dependencies script for circular workspace deps (@wraithgar)ccd8420 #7911 fix cli tests for audit fallback removal (@wraithgar)720b4d8 #7833 bump @npmcli/arborist to 8.0.0 (@wraithgar)286739c #7824 add creation of a DEPENDENCIES.json file (#7824) (@reggi)852dd8b #7831 sets npm 11 to prerelase (@reggi)95d009e #7831 update engine ^20.17.0 || >=22.9.0 in actions (@reggi)5a74478 #7831 update engines ^20.17.0 || >=22.9.0 in package template (@reggi)@npmcli/arborist@9.0.0-pre.0@npmcli/config@10.0.0-pre.0libnpmaccess@10.0.0-pre.0libnpmdiff@8.0.0-pre.0libnpmexec@10.0.0-pre.0libnpmfund@7.0.0-pre.0libnpmorg@8.0.0-pre.0libnpmpack@9.0.0-pre.0libnpmpublish@11.0.0-pre.0libnpmsearch@9.0.0-pre.0libnpmteam@8.0.0-pre.0libnpmversion@8.0.0-pre.0FAQs
Programmatic API for the bits behind npm publish and unpublish
The npm package libnpmpublish receives a total of 1,133,937 weekly downloads. As such, libnpmpublish popularity was classified as popular.
We found that libnpmpublish demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
require(esm) backported to Node.js 20, easing the transition to ESM-only packages and reducing complexity for developers as Node 18 nears end-of-life.
Security News
PyPI now supports iOS and Android wheels, making it easier for Python developers to distribute mobile packages.
Security News
Create React App is officially deprecated due to React 19 issues and lack of maintenance—developers should switch to Vite or other modern alternatives.