|
| 1 | +# Publish prompt |
| 2 | + |
| 3 | +## Summary |
| 4 | + |
| 5 | +Publishing a package should prompt a confirmation prompt, allowing users to validate their package info before uploading their package tarball. |
| 6 | + |
| 7 | +## Motivation |
| 8 | + |
| 9 | +Breaking the prompt into a two-step operation allows for a validation of contents prior to uploading the package but it also enable new possibilities such as printing warnings promotting 2FA adoption, etc. |
| 10 | + |
| 11 | +## Detailed Explanation and Rationale |
| 12 | + |
| 13 | +`npm publish` should ask for a confirmation prompt prior to uploading the package tarball. |
| 14 | + |
| 15 | +Currently "publish" has a very nice behavior for users that have 2FA enabled, one in which it stops the publish process in order to ask for the OTP code, allowing for a review of the file contents prior to uploading the tarball file. |
| 16 | + |
| 17 | +It would be very nice to expand that "review" |
| 18 | + |
| 19 | +## Alternatives |
| 20 | + |
| 21 | +Not change it, just keep the current behavior? |
| 22 | + |
| 23 | +## Implementation |
| 24 | + |
| 25 | +This is a breaking change from the current `npm publish` behavior, it would prompt the user for confirmation: |
| 26 | + |
| 27 | +```sh |
| 28 | +$ npm publish |
| 29 | + |
| 30 | +npm notice |
| 31 | +npm notice 📦 disparity@3.0.0 |
| 32 | +npm notice === Tarball Contents === |
| 33 | +npm notice 183B bin/disparity |
| 34 | +npm notice 2.1kB disparity-cli.js |
| 35 | +npm notice 4.3kB disparity.js |
| 36 | +npm notice 999B package.json |
| 37 | +npm notice 875B CHANGELOG.md |
| 38 | +npm notice 1.1kB LICENSE.md |
| 39 | +npm notice 3.7kB README.md |
| 40 | +npm notice === Tarball Details === |
| 41 | +npm notice name: disparity |
| 42 | +npm notice version: 3.0.0 |
| 43 | +npm notice filename: disparity-3.0.0.tgz |
| 44 | +npm notice package size: 5.2 kB |
| 45 | +npm notice unpacked size: 13.3 kB |
| 46 | +npm notice shasum: 4344ee202484ab134227913a3af6f4a0ae5f0a59 |
| 47 | +npm notice integrity: sha512-NAItmPQyt6dya[...]m5N3kfPPJYj0w== |
| 48 | +npm notice total files: 7 |
| 49 | +npm notice |
| 50 | + |
| 51 | +This operation will publish your package to the npm registry. |
| 52 | +Do you wish to proceed? [Y/n] |
| 53 | +``` |
| 54 | + |
| 55 | +The user can also provide a `--yes` option that can skip the prompt and keep a behavior that is identical to the current: |
| 56 | + |
| 57 | +``` |
| 58 | +$ npm publish --yes |
| 59 | +``` |
| 60 | + |
| 61 | +## Prior Art |
| 62 | + |
| 63 | +Currently `npm publish` will automatically publish the tarball to the registry in case the user does not have OTP enabled. |
| 64 | + |
| 65 | +## Unresolved Questions and Bikeshedding |
| 66 | + |
| 67 | +TBD |
0 commit comments