Skip to content

Commit 79b0c84

Browse files
committed
fix!: default opts.access to null to preserve registry behavior
Closes #9414. BREAKING CHANGE: `opts.access` now defaults to `null` instead of `'public'`. With `null`, libnpmpublish no longer sets an explicit access level in the publish payload, so new scoped packages are created as `restricted` (registry default) and republishes preserve the existing access level. Callers that want to force public access must now pass `access: 'public'` explicitly.
1 parent 080e3b2 commit 79b0c84

3 files changed

Lines changed: 14 additions & 7 deletions

File tree

workspaces/libnpmpublish/README.md

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -44,8 +44,13 @@ A couple of options of note:
4444
defaults to `latest`.
4545

4646
* `opts.access` - tells the registry whether this package should be
47-
published as `public` or `restricted`. Only applies to scoped
48-
packages. Defaults to `public`.
47+
published as `'public'` or `'restricted'`. May also be `null`, which
48+
preserves the existing access level on already-published packages and
49+
defers to the registry's default for new packages (the registry treats
50+
scoped packages as `restricted` and unscoped packages as `public` by
51+
default). Only `'restricted'` and `null` are meaningful for scoped
52+
packages; `'restricted'` is rejected for unscoped packages. Defaults to
53+
`null`.
4954

5055
* `opts.token` - can be passed in and will be used as the authentication
5156
token for the registry. For other ways to pass in auth details, see the

workspaces/libnpmpublish/lib/publish.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ Remove the 'private' field from the package.json to publish it.`),
2323
// spec is used to pick the appropriate registry/auth combo
2424
const spec = npa.resolve(manifest.name, manifest.version)
2525
opts = {
26-
access: 'public',
26+
access: null,
2727
algorithms: ['sha512'],
2828
defaultTag: 'latest',
2929
...opts,

workspaces/libnpmpublish/test/publish.js

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,7 @@ t.test('basic publish - no npmVersion', async t => {
5757
},
5858
},
5959
},
60-
access: 'public',
60+
access: null,
6161
_attachments: {
6262
'libnpmpublish-test-1.0.0.tgz': {
6363
content_type: 'application/octet-stream',
@@ -110,7 +110,7 @@ t.test('scoped publish', async t => {
110110
},
111111
},
112112
},
113-
access: 'public',
113+
access: null,
114114
_attachments: {
115115
'@npmcli/libnpmpublish-test-1.0.0.tgz': {
116116
content_type: 'application/octet-stream',
@@ -302,7 +302,7 @@ t.test('other error code', async t => {
302302
const packument = {
303303
name: 'libnpmpublish',
304304
description: 'some stuff',
305-
access: 'public',
305+
access: null,
306306
_id: 'libnpmpublish',
307307
'dist-tags': {
308308
latest: '1.0.0',
@@ -546,6 +546,7 @@ t.test('publish existing package with provenance in gha', async t => {
546546

547547
const ret = await publish(manifest, tarData, {
548548
...opts,
549+
access: 'public',
549550
provenance: true,
550551
fulcioURL: fulcioURL,
551552
rekorURL: rekorURL,
@@ -766,7 +767,7 @@ t.test('user-supplied provenance - success', async t => {
766767
},
767768
},
768769
},
769-
access: 'public',
770+
access: null,
770771
_attachments: {
771772
'@npmcli/libnpmpublish-test-1.0.0.tgz': {
772773
content_type: 'application/octet-stream',
@@ -1091,6 +1092,7 @@ t.test('publish existing package with provenance in gitlab', async t => {
10911092

10921093
const ret = await publish(manifest, tarData, {
10931094
...opts,
1095+
access: 'public',
10941096
provenance: true,
10951097
fulcioURL: fulcioURL,
10961098
rekorURL: rekorURL,

0 commit comments

Comments
 (0)