Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RRFC] remove --access public for initial publish of scoped modules #572

Closed
bnb opened this issue Apr 18, 2022 · 3 comments
Closed

[RRFC] remove --access public for initial publish of scoped modules #572

bnb opened this issue Apr 18, 2022 · 3 comments

Comments

@bnb
Copy link

bnb commented Apr 18, 2022

Motivation ("The Why")

Currently, to publish a scoped module for the first time you need to include --access public unless the organization you're publishing it to is on a paid plan, in which case it will be published privately. My guess is that the majority of npm users who are publishing are not, in fact, publishing to paid organizations and having that path be the default makes... little sense at this point in time.

Especially with the intersection of npm workspaces providing a good interface for scoped modules from a single source and the recent malicious usage the registry has seen, I think it would be nice to reduce the barrier to entry to publishing into scopes by normalizing the publishing experience across scoped namespace and global namespace packages and dropping --access private as the default for publishing a scoped module.

There's some compounding reasons why I don't feel like this is a particularly big deal:

  • if you have an oopsie you can always change to restricted later
  • the global namespace does not have this concept and it's not a problem there
  • the DX of having to do this for some projects but not others is confusing and absolutely not intuitive
  • npm probably doesn't care about pushing paid teams as much as it was once... required to

How

Current Behaviour

  • --access public is required to publish a scoped module on initial publish

Desired Behaviour

  • --access public is not required to publish a scoped module on initial publish
@ljharb
Copy link
Contributor

ljharb commented Apr 19, 2022

One consequence/benefit of this change might be that organization members would presumably be able to publish a scoped package for the first time - currently, it requires an org admin (or owner) to publish the first one.

@darcyclarke darcyclarke added the Agenda will be discussed at the Open RFC call label Apr 20, 2022
@darcyclarke darcyclarke mentioned this issue Apr 27, 2022
Closed
@ljharb ljharb mentioned this issue Apr 27, 2022
Open
@darcyclarke darcyclarke mentioned this issue May 4, 2022
Closed
@darcyclarke
Copy link
Contributor

Closing as we discuss in the npm RFC calls that we'll get a new flag added to npm init for --init-private=true|false & then in v9 we'll change that alongside changes to access for npm publish

@ljharb
Copy link
Contributor

ljharb commented May 4, 2022

(in parallel with changing the default so that scoped packages are assumed to be public)

@darcyclarke darcyclarke removed the Agenda will be discussed at the Open RFC call label May 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ljharb @darcyclarke @bnb