This guide covers how to publish the @vapi/bulletproof package to npm as a private scoped package under the @vapi organization.
- Prerequisites
- One-Time Setup
- Publishing Steps
- Automated Publishing with GitHub Actions
- Versioning
- Troubleshooting
Before you can publish, you need:
- npm account with access to the
@vapiorganization - npm CLI installed (
npm --versionshould work) - Publish permissions for the
@vapiscope
# Verify you're logged in
npm whoami
# Check your org membership (requires npm 8+)
npm org ls vapi
# If not logged in:
npm loginThe package.json needs these settings for npm publishing:
{
"name": "@vapi/bulletproof",
"version": "1.0.0",
"private": false,
"publishConfig": {
"access": "restricted"
}
}Key settings:
"private": false- Required to publish (currently set totrue)"publishConfig.access": "restricted"- Makes it a private package (only@vapiorg members can install)
Edit package.json to enable publishing:
{
"name": "@vapi/bulletproof",
"version": "1.0.0",
- "private": true,
+ "private": false,
"description": "Pre-push guardian that uses Claude to run checks and auto-fix issues",
+ "publishConfig": {
+ "access": "restricted"
+ },
...
}Check what files will be included in the package:
npm pack --dry-runThe files field in package.json controls this:
{
"files": [
"dist",
"bin"
]
}-
Ensure you're on the main branch with latest changes:
git checkout main git pull origin main
-
Install dependencies and build:
npm install npm run build
-
Run tests to verify everything works:
npm run typecheck npm run test -
Bump the version (choose one):
# Patch release (1.0.0 -> 1.0.1) - bug fixes npm version patch # Minor release (1.0.0 -> 1.1.0) - new features npm version minor # Major release (1.0.0 -> 2.0.0) - breaking changes npm version major
-
Publish to npm:
npm publish
-
Push the version tag:
git push origin main --tags
For the very first publish, you may need to specify access explicitly:
npm publish --access restrictedSet up CI/CD to automatically publish on releases.
- Go to npmjs.com → Account Settings → Access Tokens
- Generate a new Automation token
- Copy the token (starts with
npm_...)
- Go to the repo → Settings → Secrets and variables → Actions
- Add a new secret:
- Name:
NPM_TOKEN - Value: Your npm token
- Name:
Create .github/workflows/publish.yml:
name: Publish to npm
on:
release:
types: [published]
jobs:
publish:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
registry-url: 'https://registry.npmjs.org'
- name: Install dependencies
run: npm ci
- name: Build
run: npm run build
- name: Run tests
run: |
npm run typecheck
npm run test
- name: Publish
run: npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}- Go to the repo → Releases → Create new release
- Create a new tag (e.g.,
v1.0.1) - Fill in release notes
- Click "Publish release"
- The GitHub Action will automatically publish to npm
Follow Semantic Versioning:
| Change Type | Version Bump | Example | When to Use |
|---|---|---|---|
| Bug fixes | Patch | 1.0.0 → 1.0.1 |
Backwards-compatible bug fixes |
| New features | Minor | 1.0.0 → 1.1.0 |
Backwards-compatible new functionality |
| Breaking changes | Major | 1.0.0 → 2.0.0 |
Incompatible API changes |
For testing before official release:
# Beta release
npm version prerelease --preid=beta
# 1.0.0 -> 1.0.1-beta.0
# Publish with beta tag
npm publish --tag betaUsers can install beta versions with:
npm install @vapi/bulletproof@betaYou need an npm paid plan for private scoped packages. The @vapi org should already have this.
The @vapi org needs a paid npm plan for private packages. Contact your npm org admin.
You don't have publish permissions. Ask an org admin to grant you the Developer or Admin role for the @vapi org.
# Admin can add you with:
npm team add vapi:developers <your-username>This shouldn't happen with scoped packages, but if it does, ensure you're using @vapi/bulletproof exactly.
npm ERR! This package has been marked as private
You forgot to set "private": false in package.json.
The prepublishOnly script runs automatically before npm publish:
{
"scripts": {
"prepublishOnly": "npm run build"
}
}Make sure npm run build works locally first.
After publishing, verify:
# View package info
npm view @vapi/bulletproof
# Check latest version
npm view @vapi/bulletproof version
# Install and test
npm install @vapi/bulletproof
npx bulletproof --helpFor users to install @vapi/bulletproof:
npm loginUser must be a member of the @vapi npm organization.
npm install @vapi/bulletproofUse an npm automation token:
# In CI, set the token
echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc
npm install @vapi/bulletproof| Command | Description |
|---|---|
npm whoami |
Check logged-in user |
npm org ls vapi |
List org members |
npm pack --dry-run |
Preview package contents |
npm version patch |
Bump patch version |
npm publish |
Publish to npm |
npm view @vapi/bulletproof |
View published package |
npm deprecate @vapi/bulletproof@1.0.0 "msg" |
Deprecate a version |
npm unpublish @vapi/bulletproof@1.0.0 |
Remove a version (within 72h) |
- npm docs: https://docs.npmjs.com/cli/v10/commands/npm-publish
- Scoped packages: https://docs.npmjs.com/creating-and-publishing-scoped-public-packages
- Private packages: https://docs.npmjs.com/creating-and-publishing-private-packages