Publish, please!

Safe and highly functional replacement for `npm publish`.

There are numerous ways to "shoot yourself in the foot" using npm publish. The purpose of this module is to replace npm publish for your packages with safe and more functional alternative, which will allow you to:

• Run tests or build steps before publishing (because prepublish is broken).
• Perform check for the sensitive data in your package to be sure that you didn't leak it by accident (Further reading: Do not underestimate credentials leaks).
• Perform check for vulnerable dependencies using Node Security Project data.
• Check that you are in the correct git branch.
• Check that git tag matches version specified in the package.json.
• Check that there are no uncommitted changes in the working tree.
• Check that there are no untracked files in the working tree.
• Force usage of the npm publish tag there necessary, so you'll be sure you're not publishing preview version of your package as a release version.
• Get release summary and publishing confirmation.
• Configure publishing using built-in configuration wizard.

Getting started

Setup process of publish-please is quite trivial - just run

npm install --save-dev publish-please

in your project's directory.

Once it finish installing, publish-please will automatically run it's configuration wizard, which will guide you through some simple steps to setup features you want to use:

If you forgot to configure something or just changed your mind and want to change configuration, just run

npm run publish-please config

to return to wizard.

So, once you've done with wizard from now on npm publish for your package is disabled (Muahahaha 😈):

But don't worry it's done for the good reason to prevent you or your co-workers run unsafe publishing process. Use awesome version instead:

npm run publish-please

Options

• prePublishScript - Specifies command that will be run before publish (e.g. npm test). Use it for builds and tests. Default: npm test.
• postPublishScript - Specifies command that will be run after successful publishing. Use it for release announcements, creating a GitHub release, uploading binaries, etc. Default: `` (no command).
• publishCommand - Specifies publishing command which will be used to publish the package. Default: npm publish.
• publishTag - Specifies tag with which package will be published. See npm publish docs for more info. Default: latest.
• confirm - Ask for the confirmation before publishing. Default: true.

Validations

• uncommittedChanges - Check that there are no uncommitted changes in the working tree. Default: true.
• untrackedFiles - Check that there are no untracked files in the working tree. Default: true.
• gitTag - Check that git tag matches version specified in the package.json. Default: true.
• branch - Check that current branch matches the specified branch. Default: master.
• sensitiveData - Perform audit for the sensitive data. Default: true.
• vulnerableDependencies - Perform vulnerable dependencies check using Node Security Project data. Default: true.

Sensitive information audit

Important note: tool provides some very basic sensitive data check. Do not rely on it fully. Always perform manual checks for the sensitive data in your packages.

Performed for the following items:

• Private SSH key
• Potential cryptographic private key
• Potential cryptographic key bundle
• Pidgin OTR private key
• Shell command history file
• MySQL client command history file
• PostgreSQL client command history file
• Ruby IRB console history file
• Pidgin chat client account configuration file
• Hexchat/XChat IRC client server list configuration file
• Irssi IRC client configuration file
• Recon-ng web reconnaissance framework API key database
• DBeaver SQL database manager configuration file
• Mutt e-mail client configuration file
• S3cmd configuration file
• T command-line Twitter client configuration file
• OpenVPN client configuration file
• Well, this is awkward... Gitrob configuration file
• Shell configuration file
• Shell profile configuration file
• Shell command alias configuration file
• Ruby On Rails secret token configuration file
• OmniAuth configuration file
• Carrierwave configuration file
• Ruby On Rails database schema file
• Potential Ruby On Rails database configuration file
• Django configuration file
• PHP configuration file
• KeePass password manager database file
• 1Password password manager database file
• Apple Keychain database file
• GNOME Keyring database file
• Log file
• Network traffic capture file
• SQL dump file
• GnuCash database file
• Contains word: backup
• Contains word: dump
• Contains word: password
• Contains words: private, key
• Jenkins publish over SSH plugin file
• Potential Jenkins credentials file
• Apache htpasswd file
• Configuration file for auto-login process
• KDE Wallet Manager database file
• Potential MediaWiki configuration file
• Tunnelblick VPN configuration file
• Rubygems credentials file
• Potential MSBuild publish profile
• PHP dotenv

Check out my other packages used by this tool

• cp-sugar - Some sugar for child_process module.
• elegant-status - Create elegant task status for CLI.
• pkgd - Get package publish info: package.json and file list.
• promisify-event - Promisify EventEmitter's event.

Author

Ivan Nikulin (ifaaan@gmail.com)