libpnmpublish public default is a footgun, and doesn't match usage

[latentflip]

Summary

libnpmpublish currently documents and implements opts.access as defaulting to "public", but npm CLI itself relies on passing access: null to preserve registry/default access behavior.

I think libnpmpublish should treat omitted access the same way npm CLI does: no explicit access change, represented as null. The docs/types should also describe access as a tri-state value: "public", "restricted", or null.

Current Behavior

In libnpmpublish, omitted opts.access is defaulted to "public":

cli/workspaces/libnpmpublish/lib/publish.js

Lines 25 to 31 in 33aebaa

	opts = {
	access: 'public',
	algorithms: ['sha512'],
	defaultTag: 'latest',
	...opts,
	spec,
	}

That means callers who omit access get a publish payload with public access.

However, npm CLI’s access config default is null, and npm publish passes that through to libnpmpublish. It also labels null as default in the publish message.

Given that an omitted/null access value is treated by both the registry and the cli as access: "restricted" for scoped packages, it's a bit of a footgun that libnpmpublish sets it to "public" by default if omitted.

Impact

This has caused a bug in for example pnpm resulting in private packages being made public accidentally: pnpm/pnpm#11983.