Use this checklist for npm publication and public distribution.
- Confirm package ownership for the
@botblockernpm scope. - Confirm the public repository URL and add it to
package.jsonwhen available. - Configure npm 2FA for publish operations.
- Prefer publishing from CI with npm provenance enabled when the release workflow is ready.
- Confirm the security contact channel at https://botblocker.top.
npm ci
npm run verify
npm audit --omit=dev
npm pack --dry-run
npm publish --dry-runExpected quality gate:
- build succeeds;
- TypeScript declarations compile;
- Node coverage is 100% for lines, branches, and functions;
- Playwright tests pass in Chromium, Firefox, and WebKit;
- minified browser bundle stays under the configured budget;
- production dependency audit reports zero vulnerabilities;
- package dry-run includes only intended files.
- Patch release: compatible API and no intentional default identity hash change.
- Minor release: new API, new report-only signals, or documented identity hash changes.
- Major release: breaking API, package export changes, or incompatible result schema changes.
If default identity inputs change, document the migration impact in CHANGELOG.md and docs/VERSION_POLICY.md.
npm version patch
npm publish --access publicUse minor or major instead of patch when the versioning rules require it.
- Install the package in a clean temporary project.
- Test ESM import, CommonJS require, and the
@botblocker/fingerprintjs/serversubpath. - Download the browser bundle from the published package and run the browser demo.
- Tag the release in git and attach a short release note based on
CHANGELOG.md.