Create a gist now

Instantly share code, notes, and snippets.

@ashleygwilliams /typosquat.md Secret
Last active Jan 5, 2018

What would you like to do?

New Package Monikers: Blocking Potential Typosquats

You may or may not have noticed that there is a new package naming rule for the npm registry! As of early this week, the team has merged new functionality that will help prevent confusion and security vulnerabilities as a result of unscoped packages with extremely similar names.

How It Works

When you publish a package, npm will take your package name and compare it to other packages' names in the registry. If, after removing dots, dashes, and underscores (., -, _) from your new package's name and previously existing packages, your new package name matches a package name already in the registry, npm will block the publish and recommend that you publish it as a scoped package.

How Can I Tell If My Package Name Will Be Affected

We recommend that you search for your intended package name using npm's search. If a package exists that has a name that only differs in punctuation from the name you would like to use, you should pick a new name, or add a scope to the existing package name.

For example:

  • if a package called myawesomepkg already exists, you cannot publish a package called my-awesome-pkg or my.awesome-pkg
  • if a package called best.tool.ever already exists, you cannot publish a package called best_tool_ever or besttoolever

How to Publish a Scoped Package

If you would like to keep your originally intended package name you can! However, you'll need to publish it under your scope. To do that:

  1. Open your package.json. Under the name attribute, change <pkgname> to <@yourusername>/<pkgname>. For example:

    {
      "name": "my-awesome-pkg"
    }

    becomes

    {
      "name": "@ag_dubs/my-awesome-pkg"
    }
  2. Next, in your terminal, type:

    npm publish --access=public 
    

    Scoped packages are private by default, so passing the --access=public flag ensures that it will be published publicly.

    For more information on working with scoped packages, check out our docs.

  3. You should be all set! To install your new package you can run npm install @<scope>/<pkg>. For example:

    npm install @ag_dubs/my-awesome-pkg
    

Do Scoped Packages Cost Money?

No!

However, private packages cost money, so if you accidentally forget the --access=public flag, you will get an error message indicating that you need to pay money. This might be misintrepretted as scoped packages costing money- but that's not the case! As long as you publish publicly, any of your packages, scoped or not, are free- forever.

Conclusion

In conclusion, we are excited to see this new change reduce confusion on the npm registry and improve security for all involved! If you have any questions/comments/concerns, shoot us a note at support@npmjs.com or tweet at us @npm_support.

trusktr commented Jan 5, 2018

@Scoped packages, unfortunately, are likely to get less adoption (there's probably a bunch of reasons why). So this is less than ideal when a name is similar and you find you can publish your package. 😢

Why not something this idea instead? npm/npm#19438 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment