File Explorer

1const { log, output } = require('proc-log')2const semver = require('semver')3const pack = require('libnpmpack')4const libpub = require('libnpmpublish').publish5const runScript = require('@npmcli/run-script')6const pacote = require('pacote')7const npa = require('npm-package-arg')8const npmFetch = require('npm-registry-fetch')9const { redactLog: replaceInfo } = require('@npmcli/redact')10const { otplease } = require('../utils/auth.js')11const { getContents, logTar } = require('../utils/tar.js')12// for historical reasons, publishConfig in package.json can contain ANY config13// keys that npm supports in .npmrc files and elsewhere.  We *may* want to14// revisit this at some point, and have a minimal set that's a SemVer-major15// change that ought to get a RFC written on it.16const { flatten } = require('@npmcli/config/lib/definitions')17const pkgJson = require('@npmcli/package-json')18const BaseCommand = require('../base-cmd.js')19const { oidc } = require('../../lib/utils/oidc.js')20 21class Publish extends BaseCommand {22  static description = 'Publish a package'23  static name = 'publish'24  static params = [25    'tag',26    'access',27    'dry-run',28    'otp',29    'workspace',30    'workspaces',31    'include-workspace-root',32    'provenance',33  ]34 35  static usage = ['<package-spec>']36  static workspaces = true37  static ignoreImplicitWorkspace = false38 39  async exec (args) {40    if (args.length === 0) {41      args = ['.']42    }43    if (args.length !== 1) {44      throw this.usageError()45    }46 47    await this.#publish(args)48  }49 50  async execWorkspaces (args) {51    const useWorkspaces = args.length === 0 || args.includes('.')52    if (!useWorkspaces) {53      log.warn('Ignoring workspaces for specified package(s)')54      return this.exec(args)55    }56    await this.setWorkspaces()57 58    for (const [name, workspace] of this.workspaces.entries()) {59      try {60        await this.#publish([workspace], { workspace: name })61      } catch (err) {62        if (err.code !== 'EPRIVATE') {63          throw err64        }65        log.warn('publish', `Skipping workspace ${this.npm.chalk.cyan(name)}, marked as ${this.npm.chalk.bold('private')}`)66      }67    }68  }69 70  async #publish (args, { workspace } = {}) {71    log.verbose('publish', replaceInfo(args))72 73    const unicode = this.npm.config.get('unicode')74    const dryRun = this.npm.config.get('dry-run')75    const json = this.npm.config.get('json')76    const defaultTag = this.npm.config.get('tag')77    const ignoreScripts = this.npm.config.get('ignore-scripts')78    const { silent } = this.npm79 80    if (semver.validRange(defaultTag)) {81      throw new Error('Tag name must not be a valid SemVer range: ' + defaultTag.trim())82    }83 84    const opts = { ...this.npm.flatOptions, progress: false }85 86    // you can publish name@version, ./foo.tgz, etc.87    // even though the default is the 'file:.' cwd.88    const spec = npa(args[0])89    let manifest = await this.#getManifest(spec, opts)90 91    // only run scripts for directory type publishes92    if (spec.type === 'directory' && !ignoreScripts) {93      await runScript({94        event: 'prepublishOnly',95        path: spec.fetchSpec,96        stdio: 'inherit',97        pkg: manifest,98      })99    }100 101    // we pass dryRun: true to libnpmpack so it doesn't write the file to disk102    const tarballData = await pack(spec, {103      ...opts,104      foregroundScripts: this.npm.config.isDefault('foreground-scripts')105        ? true106        : this.npm.config.get('foreground-scripts'),107      dryRun: true,108      prefix: this.npm.localPrefix,109      workspaces: this.workspacePaths,110    })111    const pkgContents = await getContents(manifest, tarballData)112    const logPkg = () => logTar(pkgContents, { unicode, json, key: workspace })113 114    // The purpose of re-reading the manifest is in case it changed,115    // so that we send the latest and greatest thing to the registry116    // note that publishConfig might have changed as well!117    manifest = await this.#getManifest(spec, opts, true)118    const force = this.npm.config.get('force')119    const isDefaultTag = this.npm.config.isDefault('tag') && !manifest.publishConfig?.tag120 121    if (!force) {122      const isPreRelease = Boolean(semver.parse(manifest.version).prerelease.length)123      if (isPreRelease && isDefaultTag) {124        throw new Error('You must specify a tag using --tag when publishing a prerelease version.')125      }126    }127 128    // If we are not in JSON mode then we show the user the contents of the tarball129    // before it is published so they can see it while their otp is pending130    if (!json) {131      logPkg()132    }133 134    const resolved = npa.resolve(manifest.name, manifest.version)135 136    // make sure tag is valid, this will throw if invalid137    npa(`${manifest.name}@${defaultTag}`)138 139    const registry = npmFetch.pickRegistry(resolved, opts)140 141    await oidc({ packageName: manifest.name, registry, opts, config: this.npm.config })142 143    const creds = this.npm.config.getCredentialsByURI(registry)144    const noCreds = !(creds.token || creds.username || creds.certfile && creds.keyfile)145    const outputRegistry = replaceInfo(registry)146 147    // if a workspace package is marked private then we skip it148    if (workspace && manifest.private) {149      throw Object.assign(150        new Error(`This package has been marked as private151  Remove the 'private' field from the package.json to publish it.`),152        { code: 'EPRIVATE' }153      )154    }155 156    if (noCreds) {157      const msg = `This command requires you to be logged in to ${outputRegistry}`158      if (dryRun) {159        log.warn('', `${msg} (dry-run)`)160      } else {161        throw Object.assign(new Error(msg), { code: 'ENEEDAUTH' })162      }163    }164 165    if (!force) {166      const { highestVersion, versions } = await this.#registryVersions(resolved, registry)167      /* eslint-disable-next-line max-len */168      const highestVersionIsGreater = !!highestVersion && semver.gte(highestVersion, manifest.version)169 170      if (versions.includes(manifest.version)) {171        throw new Error(`You cannot publish over the previously published versions: ${manifest.version}.`)172      }173 174      if (highestVersionIsGreater && isDefaultTag) {175        throw new Error(`Cannot implicitly apply the "latest" tag because previously published version ${highestVersion} is higher than the new version ${manifest.version}. You must specify a tag using --tag.`)176      }177    }178 179    const access = opts.access === null ? 'default' : opts.access180    let msg = `Publishing to ${outputRegistry} with tag ${defaultTag} and ${access} access`181    if (dryRun) {182      msg = `${msg} (dry-run)`183    }184 185    log.notice('', msg)186 187    if (!dryRun) {188      await otplease(this.npm, opts, o => libpub(manifest, tarballData, o))189    }190 191    // In json mode we don't log until the publish has completed as this will192    // add it to the output only if completes successfully193    if (json) {194      logPkg()195    }196 197    if (spec.type === 'directory' && !ignoreScripts) {198      await runScript({199        event: 'publish',200        path: spec.fetchSpec,201        stdio: 'inherit',202        pkg: manifest,203      })204 205      await runScript({206        event: 'postpublish',207        path: spec.fetchSpec,208        stdio: 'inherit',209        pkg: manifest,210      })211    }212 213    if (!json && !silent) {214      output.standard(`+ ${pkgContents.id}`)215    }216  }217 218  async #registryVersions (spec, registry) {219    try {220      const packument = await pacote.packument(spec, {221        ...this.npm.flatOptions,222        preferOnline: true,223        registry,224        _isRoot: true,225      })226      if (typeof packument?.versions === 'undefined') {227        return { versions: [], highestVersion: null }228      }229      const ordered = Object.keys(packument?.versions)230        .flatMap(v => {231          const s = new semver.SemVer(v)232          if ((s.prerelease.length > 0) || packument.versions[v].deprecated) {233            return []234          }235          return s236        })237        .sort((a, b) => b.compare(a))238      const highestVersion = ordered.length >= 1 ? ordered[0].version : null239      const versions = ordered.map(v => v.version)240      return { versions, highestVersion }241    } catch (e) {242      return { versions: [], highestVersion: null }243    }244  }245 246  // if it's a directory, read it from the file system247  // otherwise, get the full metadata from whatever it is248  // XXX can't pacote read the manifest from a directory?249  async #getManifest (spec, opts, logWarnings = false) {250    let manifest251    if (spec.type === 'directory') {252      const changes = []253      const pkg = await pkgJson.fix(spec.fetchSpec, { changes })254      if (changes.length && logWarnings) {255        log.warn('publish', 'npm auto-corrected some errors in your package.json when publishing.  Please run "npm pkg fix" to address these errors.')256        log.warn('publish', `errors corrected:\n${changes.join('\n')}`)257      }258      // Prepare is the special function for publishing, different than normalize259      const { content } = await pkg.prepare()260      manifest = content261    } else {262      manifest = await pacote.manifest(spec, {263        ...opts,264        fullmetadata: true,265        fullReadJson: true,266      })267    }268    if (manifest.publishConfig) {269      const cliFlags = this.npm.config.data.get('cli').raw270      // Filter out properties set in CLI flags to prioritize them over271      // corresponding `publishConfig` settings272      const filteredPublishConfig = Object.fromEntries(273        Object.entries(manifest.publishConfig).filter(([key]) => !(key in cliFlags)))274      if (logWarnings) {275        for (const key in filteredPublishConfig) {276          this.npm.config.checkUnknown('publishConfig', key)277        }278      }279      flatten(filteredPublishConfig, opts)280    }281    return manifest282  }283}284 285module.exports = Publish286