Check package permission on the registry about npm HOT 7 OPEN

During the npm release I ended up having an error:

npm ERR! This package has been marked as private
npm ERR! Remove the 'private' field from the package.json to publish it.

This could be prevented within verify stage by controlling if the package.json is having a false value for the key private.

It should break with:

{
+ "private": "true"
}

from npm.

Maybe private: true should have the same effect as npmPublish: false, i.e. skip publish and just create the package locally, without erroring out?

from npm.

@pvdlg according to https://docs.npmjs.com/files/package.json#private:

If you set "private": true in your package.json, then npm will refuse to publish it.
This is a way to prevent accidental publication of private repositories. If you would like to ensure that a given package is only ever published to a specific registry (for example, an internal registry), then use the publishConfig dictionary described below to override the registry config param at publish-time.

I believe private: true and npmPublish: false are different configuration. private: true is specifically designed to return an exit code 1.

from npm.

But in the context of semantic-release you can set private: false to make sure the package is not published on npm but still want to update the version in package.json, commit the package.json to the repo, make a release on GitHub, create a tag etc...

If you throw an error when private is true that means you can't use this plugin at all, therefore you can't update the version in package.json and you can't generate the package with npm pack.

Having a package with private set to true for safety (like outside of the semantic-release context) and wanting to update the version seems a valid use to me.

from npm.

you can't generate the package with npm pack.

This is not true, this is how we install our private package which are not released on any registries.

We use private: true by default, and we have a specific command to remove it from our package.json.

I agree that a warning would be sufficient as we may want to tag a GitLab/GitHub version.

from npm.

This is not true, this is how we install our private package which are not released on any registry.

What I'm saying is that if @semantic-release/npm throws an error when private: true that means you can't use it to generate the package with npm pack.
Currently if you set npmPublish: false the plugin will run npm pack instead of npm publish.

My point is that there is no reason to throw an error is private: false because it would prevent users in such situation to use other feature of the plugin.

from npm.

This just bit me:

I just had a case where a user mistakenly didn't have public rights to the npm package (after changing tokens and using a different user for the token a couple weeks ago).

However, the verifyConditions didn't catch this. It was only caught when the npm publish step failed with a 403 error message stating the user doesn't have publish rights.

That meant the the git tag was still pushed to the repo, leaving the tag out of sync. Retrying the build would then not publish, because the tag was already pushed.

from npm.