Skip to content

Instantly share code, notes, and snippets.

@ashleygwilliams

ashleygwilliams/typosquat.md Secret

Last active January 5, 2018 21:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ashleygwilliams/e466c1e9fd3be42545da511239edd554 to your computer and use it in GitHub Desktop.
Save ashleygwilliams/e466c1e9fd3be42545da511239edd554 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
typosquat.md

New Package Monikers: Blocking Potential Typosquats

You may or may not have noticed that there is a new package naming rule for the npm registry! As of early this week, the team has merged new functionality that will help prevent confusion and security vulnerabilities as a result of unscoped packages with extremely similar names.

How It Works

When you publish a package, npm will take your package name and compare it to other packages' names in the registry. If, after removing dots, dashes, and underscores (., -, _) from your new package's name and previously existing packages, your new package name matches a package name already in the registry, npm will block the publish and recommend that you publish it as a scoped package.

How Can I Tell If My Package Name Will Be Affected

We recommend that you search for your intended package name using npm's search. If a package exists that has a name that only differs in punctuation from the name you would like to use, you should pick a new name, or add a scope to the existing package name.

For example:

  • if a package called myawesomepkg already exists, you cannot publish a package called my-awesome-pkg or my.awesome-pkg
  • if a package called best.tool.ever already exists, you cannot publish a package called best_tool_ever or besttoolever

How to Publish a Scoped Package

If you would like to keep your originally intended package name you can! However, you'll need to publish it under your scope. To do that:

  1. Open your package.json. Under the name attribute, change <pkgname> to <@yourusername>/<pkgname>. For example:

    {
  "name": "my-awesome-pkg"
}

    becomes

    {
  "name": "@ag_dubs/my-awesome-pkg"
}

  2. Next, in your terminal, type:

    npm publish --access=public

    Scoped packages are private by default, so passing the --access=public flag ensures that it will be published publicly.

    For more information on working with scoped packages, check out our docs.

  3. You should be all set! To install your new package you can run npm install @<scope>/<pkg>. For example:

    npm install @ag_dubs/my-awesome-pkg

Do Scoped Packages Cost Money?

No!

However, private packages cost money, so if you accidentally forget the --access=public flag, you will get an error message indicating that you need to pay money. This might be misintrepretted as scoped packages costing money- but that's not the case! As long as you publish publicly, any of your packages, scoped or not, are free- forever.

Conclusion

In conclusion, we are excited to see this new change reduce confusion on the npm registry and improve security for all involved! If you have any questions/comments/concerns, shoot us a note at support@npmjs.com or tweet at us @npm_support.

@trusktr
Copy link

trusktr commented Jan 5, 2018

@Scoped packages, unfortunately, are likely to get less adoption (there's probably a bunch of reasons why). So this is less than ideal when a name is similar and you find you can publish your package. 😢

Why not something this idea instead? npm/npm#19438 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment