Validate your npm package maintainers to limit your bus factor
This package validates a
localMaintainers field which you can set to match the npm-set
maintainers field. This makes it easier to limit your bus-factor for npm packages, by making sure that you have more than one person who can publish to an npm package.
The set of people who maintain a repository on GitHub and who maintain an npm repository are not always the same. This package helps you figure out quickly if the maintainers for an npm package have been specified in the
package.json in a new field,
localMaintainers. The advantage of setting this field in the manifest is that:
- Maintenance rights become part of the commit history
- Npm doesn't currently publicize this information in their API
- It is easy to check who has or should have publishing rights
Using another field instead of
authors (when people sometimes move on) and
maintainers (who may not have push rights) makes npm publishing rights explicit.
Ideally, this package could be added to the suite of tools that help community organizers know who had access and control of their GitHub and npm packages.
npm install --global validate-maintainers
For now, this is only a CLI tool.
Setting the field
Running the CLI tool
Below, you'll find the general help. However, you generally want to do two things:
- Validate the
> validate-maintainers --local
- Match it with npm's published version:
> validate-maintainers --match
Usage$ validate-maintainers <input>Options--local, -l Compare a local package.json to the one in the registry--commit, -c Compare against a package.json from a particularcommit--github Compare against a file on GitHub. Format: user/repoCan be used with --commit to point to a specific commit.--match Match whatever version you are getting against the publishednpm version--ci Only print and exit with 1
Testing it on CI
To test it on CI, add
validate-maintainers to your dependencies and use the
--ci flag in your
npx validate-maintainers orbit-db --match --ci
This only throws an error and breaks the buiild if the commit doesn't match npm, in which case you should manually set new maintainers on NPM.
How to set new maintainers
Validate Maintainers will not set your maintainers for your repository. You need to do this manually. To add someone as a maintainer for an npm package, take a look at
npm owner --help. As well, to set the local maintainers, add a
localMaintainers field in your
package.json and add anyone who should have publishing rights to your repository. This is different from the
maintainers field in your
package.json, which doesn't perfectly line up with actual users who have publishing rights.
Please do! Open an issue! Open a PR!
Please abide by the Code of Conduct.
MIT © 2019 Burnt Fen Creative LLC.