Npm Publish
Use when publishing Node/npm packages from a repository or monorepo, especially scoped public packages, beta/latest dist-tags, workspace publishing, npm 2FA, publish verification, local tarball smoke tests, and debugging npm publish/install errors such as
What it does
Publish npm packages, including scoped, 2FA, and monorepo deployments, with verification.
- Publish npm packages
- Handle monorepos
- Manage dist-tags
- Verify packages
Npm Publish
Operating Pattern
Use this workflow when preparing, publishing, or verifying an npm package. Treat publishing as a release operation: package versions are immutable, registry state can lag or be filtered by local config, and npm auth errors can look unrelated to the tarball.
- Confirm package scope and working directory.
- In a monorepo, publish from the repo root with
npm publish --workspace <workspace-name> .... - From the package directory, omit
--workspace. - Confirm
package.jsonhas the intendedname,version,license,bin,files,engines,publishConfig, and dependencies.
- In a monorepo, publish from the repo root with
- Confirm the version is new.
- npm versions are immutable. Any republish requires a version bump.
- Check existing versions:
npm view <package> versions dist-tags --json.
- Run release checks before publishing.
- Use the repo's normal quality gates, usually format, tests, and build.
- If a repo-wide build fails for local env state, diagnose before assuming package failure.
- Pack and smoke-test the exact artifact.
- Create the pack destination first; npm does not create it.
- Install the generated tarball globally or in a temp project and run the package's CLI/help/version smoke tests.
- Publish with intentional dist-tags.
- Use
--tag betafor beta/devnet/prerelease packages. - Use
latestonly when the package should be the default install.
- Use
- Verify registry state and installability.
- A successful publish prints
+ <package>@<version>. - Verify package document, dist-tags, access, tarball metadata, and install from a clean npm config or a deliberate security-guard override.
- A successful publish prints
Recommended Command Skeleton
For a workspace package from the repository root:
git switch main
git pull
npm run format:check
npm run test --workspace <workspace-name>
npm run build
mkdir -p /private/tmp/npm-release
npm pack --workspace <workspace-name> --pack-destination /private/tmp/npm-release
npm uninstall -g <package-name>
npm install -g /private/tmp/npm-release/<tarball-name>.tgz
<binary-name> --version
<binary-name> --help
npm whoami
npm publish --workspace <workspace-name> --tag beta --access publicFor @agentvouch/cli, the publish command is:
npm publish --workspace @agentvouch/cli --tag beta --access publicDist-Tag Policy
- Publish beta/devnet releases with
--tag beta. - After publish, inspect tags:
npm view <package> dist-tags versions --json- If users should install the package by default without a tag, intentionally move
latest:
npm dist-tag add <package>@<version> latestDo not move latest automatically. Report the current tag state and ask whether the package should become the default install when that is a product decision.
Verification Commands
Use several independent checks:
npm view <package> dist-tags versions engines bin --json
npm access get status <package>
npm owner ls <package>
npm access list collaborators <package>
mkdir -p /private/tmp/npm-verify
npm pack <package>@<tag-or-version> --pack-destination /private/tmp/npm-verifyThen install and smoke-test from the registry in an environment that can see fresh packages:
npm install -g <package>@<tag-or-version>
<binary-name> --helpIf the user's npm config intentionally sets a before date as a supply-chain safety guard, keep it. Do not tell them to delete it as the default fix. For fresh-release verification, use one of:
- a separate clean environment or user config;
- direct registry reads such as
npm view <package> ...; - an explicit
--before=<future ISO date after the publish time>override for the one verification command.
If npm install reports ENOVERSIONS while npm view shows versions, check:
npm config get beforeA before date earlier than the publish timestamp hides the new version from install resolution.
Error Triage
ELOOP loading env during repo build
If a pre-publish build fails with a message like:
ELOOP: too many symbolic links encountered, stat '<repo>/web/.env.local'Check whether the env file is a self-referential symlink:
ls -l web/.env.localMove the broken symlink out of the app directory and recreate .env.local as a real file if needed. Do not treat this as an npm packaging failure.
npm pack --pack-destination returns ENOENT
npm pack --pack-destination <dir> does not create <dir>. Create it first:
mkdir -p /private/tmp/npm-release
npm pack --workspace <workspace-name> --pack-destination /private/tmp/npm-releaseE403 requiring 2FA or bypass token
The tarball may be fine; npm is rejecting registry write auth. Refresh auth and retry:
npm logout
npm login --auth-type=web
npm whoami
npm publish --workspace <workspace-name> --tag beta --access publicIf npm prompts for an OTP, use a fresh 2FA code immediately:
npm publish --workspace <workspace-name> --tag beta --access public --otp <code>Recovery codes can satisfy npm's OTP prompt, but they are one-time backup factors. If a recovery code is used or exposed in logs/chat, treat it as spent and regenerate recovery codes after publishing.
PUT ... 404 Not found during publish
If publish reaches Publishing to https://registry.npmjs.org/ and then fails with PUT ... 404, the tarball built but npm did not accept the registry write. Check:
npm config get registry
npm whoami
npm owner ls <package>
npm access get status <package>For scoped public packages, keep --access public. Re-login with npm login --auth-type=web if the current session or token lacks publish rights.
ENOVERSIONS after publish
If the registry document shows the version but install says no versions are available, suspect a local before security guard:
npm config get before
npm view <package> time dist-tags versions --jsonCompare the package publish time to the configured before date. Preserve the guard unless the user explicitly wants it removed.
Completion Criteria
Report:
- the package name, version, and dist-tags;
- whether
latestchanged; - package access status;
- tarball file count/size when available;
- CLI smoke-test output or exact failure;
- any local npm guardrail such as
beforethat affected verification.
Developer & API
curl -sL https://agentvouch.xyz
/api/skills/35f13db4-7c43-42d0-b23a-c63acbab1f64/raw -o SKILL.mdGET /api/skills/35f13db4-7c43-42d0-b23a-c63acbab1f64/rawAuth: Authorization: Bearer sk_... or wallet signature. Get API key →
Synced from dirtybits/agent-skills