You may or may not have noticed that there is a new package naming rule for the npm registry! As of early this week, the team has merged new functionality that will help prevent confusion and security vulnerabilities as a result of unscoped packages with extremely similar names.
When you publish a package, npm will take your package name and compare it to other packages' names in the registry. If, after removing dots, dashes, and underscores (.
, -
, _
) from your new package's name and previously existing packages, your new package name matches a package name already in the registry, npm will block the publish and recommend that you publish it as a scoped package.
We recommend that you search for your intended package name using npm's search. If a package exists that has a name that only differs in punctuation from the name you would like to use, you should pick a new name, or add a scope to the existing package name.
For example:
- if a package called
myawesomepkg
already exists, you cannot publish a package calledmy-awesome-pkg
ormy.awesome-pkg
- if a package called
best.tool.ever
already exists, you cannot publish a package calledbest_tool_ever
orbesttoolever
If you would like to keep your originally intended package name you can! However, you'll need to publish it under your scope. To do that:
-
Open your
package.json
. Under thename
attribute, change<pkgname>
to<@yourusername>/<pkgname>
. For example:{ "name": "my-awesome-pkg" }
becomes
{ "name": "@ag_dubs/my-awesome-pkg" }
-
Next, in your terminal, type:
npm publish --access=public
Scoped packages are private by default, so passing the
--access=public
flag ensures that it will be published publicly.For more information on working with scoped packages, check out our docs.
-
You should be all set! To install your new package you can run
npm install @<scope>/<pkg>
. For example:npm install @ag_dubs/my-awesome-pkg
No!
However, private packages cost money, so if you accidentally forget the --access=public
flag, you will get an error message indicating that you need to pay money. This might be misintrepretted as scoped packages costing money- but that's not the case! As long as you publish publicly, any of your packages, scoped or not, are free- forever.
In conclusion, we are excited to see this new change reduce confusion on the npm registry and improve security for all involved! If you have any questions/comments/concerns, shoot us a note at support@npmjs.com or tweet at us @npm_support.
@Scoped packages, unfortunately, are likely to get less adoption (there's probably a bunch of reasons why). So this is less than ideal when a name is similar and you find you can publish your package. 😢
Why not something this idea instead? npm/npm#19438 (comment)