Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Disallow private packages #67

Closed
wants to merge 7 commits into from

2 participants

@jhs

This is only 3 lines of code changed in validate_doc_update, corresponding with the npm publish-privates pull request.

Packages are now rejected if they have "private":true set. Nobody can ever publish private packages to the central registry. OTOH, you can set the _security object, {"npm":{ "publish-privates":true }} (same as the npm config setting) and it will allow them.

The rest of the patch is the node-tap stuff. I figure it's about time we start unit testing the validator. It's the keys to the castle.

@jhs

Sorry, please postpone this pull request. I need to make the validator less reality-challenged first.

It shouldn't check doc.private; it should (probably) loop through the doc.versions object and check if any of those are private.

I will update this pull request tomorrow (i.e. in about 10 hours).

@isaacs
Owner

@jhs Any update on this? I'm happy to pull in this and the associated npm update whenever you're ready.

@isaacs
Owner

Super out of date, and a different approach entirely is planned anyway.

@isaacs isaacs closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.