Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


Disallow private packages #67

wants to merge 7 commits into from

2 participants


This is only 3 lines of code changed in validate_doc_update, corresponding with the npm publish-privates pull request.

Packages are now rejected if they have "private":true set. Nobody can ever publish private packages to the central registry. OTOH, you can set the _security object, {"npm":{ "publish-privates":true }} (same as the npm config setting) and it will allow them.

The rest of the patch is the node-tap stuff. I figure it's about time we start unit testing the validator. It's the keys to the castle.


Sorry, please postpone this pull request. I need to make the validator less reality-challenged first.

It shouldn't check doc.private; it should (probably) loop through the doc.versions object and check if any of those are private.

I will update this pull request tomorrow (i.e. in about 10 hours).


@jhs Any update on this? I'm happy to pull in this and the associated npm update whenever you're ready.


Super out of date, and a different approach entirely is planned anyway.

@isaacs isaacs closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.