Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Disallow private packages #67

wants to merge 7 commits into


None yet
2 participants

jhs commented Jun 11, 2012

This is only 3 lines of code changed in validate_doc_update, corresponding with the npm publish-privates pull request.

Packages are now rejected if they have "private":true set. Nobody can ever publish private packages to the central registry. OTOH, you can set the _security object, {"npm":{ "publish-privates":true }} (same as the npm config setting) and it will allow them.

The rest of the patch is the node-tap stuff. I figure it's about time we start unit testing the validator. It's the keys to the castle.

jhs commented Jun 11, 2012

Sorry, please postpone this pull request. I need to make the validator less reality-challenged first.

It shouldn't check doc.private; it should (probably) loop through the doc.versions object and check if any of those are private.

I will update this pull request tomorrow (i.e. in about 10 hours).


isaacs commented Jun 17, 2012

@jhs Any update on this? I'm happy to pull in this and the associated npm update whenever you're ready.


isaacs commented May 5, 2014

Super out of date, and a different approach entirely is planned anyway.

@isaacs isaacs closed this May 5, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment