Skip to content

Instantly share code, notes, and snippets.

Last active January 5, 2018 21:15
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?

New Package Monikers: Blocking Potential Typosquats

You may or may not have noticed that there is a new package naming rule for the npm registry! As of early this week, the team has merged new functionality that will help prevent confusion and security vulnerabilities as a result of unscoped packages with extremely similar names.

How It Works

When you publish a package, npm will take your package name and compare it to other packages' names in the registry. If, after removing dots, dashes, and underscores (., -, _) from your new package's name and previously existing packages, your new package name matches a package name already in the registry, npm will block the publish and recommend that you publish it as a scoped package.

How Can I Tell If My Package Name Will Be Affected

We recommend that you search for your intended package name using npm's search. If a package exists that has a name that only differs in punctuation from the name you would like to use, you should pick a new name, or add a scope to the existing package name.

For example:

  • if a package called myawesomepkg already exists, you cannot publish a package called my-awesome-pkg or my.awesome-pkg
  • if a package called best.tool.ever already exists, you cannot publish a package called best_tool_ever or besttoolever

How to Publish a Scoped Package

If you would like to keep your originally intended package name you can! However, you'll need to publish it under your scope. To do that:

  1. Open your package.json. Under the name attribute, change <pkgname> to <@yourusername>/<pkgname>. For example:

      "name": "my-awesome-pkg"


      "name": "@ag_dubs/my-awesome-pkg"
  2. Next, in your terminal, type:

    npm publish --access=public 

    Scoped packages are private by default, so passing the --access=public flag ensures that it will be published publicly.

    For more information on working with scoped packages, check out our docs.

  3. You should be all set! To install your new package you can run npm install @<scope>/<pkg>. For example:

    npm install @ag_dubs/my-awesome-pkg

Do Scoped Packages Cost Money?


However, private packages cost money, so if you accidentally forget the --access=public flag, you will get an error message indicating that you need to pay money. This might be misintrepretted as scoped packages costing money- but that's not the case! As long as you publish publicly, any of your packages, scoped or not, are free- forever.


In conclusion, we are excited to see this new change reduce confusion on the npm registry and improve security for all involved! If you have any questions/comments/concerns, shoot us a note at or tweet at us @npm_support.

Copy link

trusktr commented Jan 5, 2018

@Scoped packages, unfortunately, are likely to get less adoption (there's probably a bunch of reasons why). So this is less than ideal when a name is similar and you find you can publish your package. 😢

Why not something this idea instead? npm/npm#19438 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment