There are numerous ways to "shoot yourself in the foot" using npm publish
. The purpose of this module is to validate that your project is ready to be published in a safe way.
It checks the following:
- package.json file is valid
- build pass (unreleased)
- tests pass
- there is no sensitive data embedded in the package that will be sent to the registry
- there is no useless files (like tests files) embedded in the package that will be sent to the registry
- there are no vulnerable dependencies (unreleased)
- there are no uncommitted changes in the working tree
- there are no untracked files in the working tree
- current branch is
master
orrelease
- git tag matches version specified in the
package.json
- all licenses declared in production dependencies are valid (unreleased)
If you are running node 8 or above, and the
package.json
file has an already existingprepublish
script, you should rename that script toprepublishOnly
before usingrelease-checker
.
- Run
npm help scripts
to get more details.
-
local install
npm install --save-dev release-checker
Then add this script in the
scripts
section of thepackage.json
file:"scripts": { "release-checker": "release-checker" },
-
global install
npm install -g release-checker
-
local install
npm run release-checker
-
global install
release-checker
-
zero install
npx release-checker
When you specify no option, all checkers will run.
if you want to run only specific checkers, use the command-line options specific to these checkers.
Ensure that current branch is master
or release
.
Ensure there are no uncommited files in the working tree.
npx release-checker --uncommited-files
Customize the sensitive or useless data checker.
This will create, in the current directory, a .sensitivedata
file that you can customize to fit your needs.
npx release-checker --customize-sensitivedata
Show help.
npx release-checker --help
Ensure there is no sensitive or useless data in the npm package.
npx release-checker --sensitivedata
Use this option when you want to run all checkers except specific ones.
For example this command will run all checkers except the test checker:
npx release-checker --skip-test
This other example will run all checkers except the test checker and the git-branch checker
npx release-checker --skip-test --skip-branch
The above command could be also rewritten to:
npx release-checker --skip-t --skip-b
Ensure that latest git tag matches package.json version
npx release-checker --tag
Ensure that command npm test
is successfull.
npx release-checker --test
Ensure there are no untracked files in the working tree.
npx release-checker --untracked-files
This Checker checks there is no sensitive and no useless files inside the to-be-published package. This check performs only if npm version is 5.9.0 or above.
It will detect the following files:
- Benchmark files
- Configuration files
- CI
- eslint
- GitHub
- JetBrains
- Visual Studio Code
- Coverage files
- Demo files
- Dependency directories
- Doc files
- Example files
- Log files
- Private SSH key
- Script files
- Secret files
- Source files
- Temp files
- Test files
- Zip files
- Output of 'npm pack' command
These files are defined inside the built-in .sensitivedata file.
You may completely override this file by creating a .sensitivedata
file in the root directory of your project so that this checker fits your needs:
- to create this file, just run the command:
npx release-checker --customize-sensitivedata
- if you create your own
.sensitivedata
file, and thepackage.json
file has nofiles
section, consider adding.sensitivedata
to the.npmignore
file.
This project is a port of all validations provided by publish-please