|
| 1 | +# Publish confirmation prompt |
| 2 | + |
| 3 | +## Summary |
| 4 | + |
| 5 | +Publishing a package should prompt a confirmation prompt, allowing users to validate their package info before uploading their package tarball. |
| 6 | + |
| 7 | +## Motivation |
| 8 | + |
| 9 | +Breaking the prompt into a two-step operation allows for a validation of contents prior to uploading the package. |
| 10 | + |
| 11 | +## Detailed Explanation and Rationale |
| 12 | + |
| 13 | +`npm publish` should ask for a confirmation prompt prior to uploading the package tarball. |
| 14 | + |
| 15 | +Currently "publish" has a very nice **unintended UX** for users with 2FA enabled, in which it stops the publish process in order to ask for the OTP code, allowing for a review of the file contents (and even cancelling the process altogether) prior to uploading the tarball file. |
| 16 | + |
| 17 | +A broader population of package authors can benefit from this UX if we formalize it. Allowing for review of contents and cancellation of package publishing. |
| 18 | + |
| 19 | +### Feedback from the discussion around this RFC |
| 20 | + |
| 21 | +- Should be implemented behind an opt-in flag for npm@7 |
| 22 | +- Non-TTY environments should skip the prompt. |
| 23 | + |
| 24 | +## Alternatives |
| 25 | + |
| 26 | +1. Not implement it, keep the current behavior. |
| 27 | + |
| 28 | +## Implementation |
| 29 | + |
| 30 | +Prompts the user for confirmation when using the opt-in flag: |
| 31 | + |
| 32 | +```sh |
| 33 | +$ npm publish --publish-confirmation |
| 34 | + |
| 35 | +npm notice |
| 36 | + |
| 37 | +npm notice === Tarball Contents === |
| 38 | +npm notice 183B bin/disparity |
| 39 | +npm notice 2.1kB disparity-cli.js |
| 40 | +npm notice 4.3kB disparity.js |
| 41 | +npm notice 999B package.json |
| 42 | +npm notice 875B CHANGELOG.md |
| 43 | +npm notice 1.1kB LICENSE.md |
| 44 | +npm notice 3.7kB README.md |
| 45 | +npm notice === Tarball Details === |
| 46 | +npm notice name: disparity |
| 47 | +npm notice version: 3.0.0 |
| 48 | +npm notice filename: disparity-3.0.0.tgz |
| 49 | +npm notice package size: 5.2 kB |
| 50 | +npm notice unpacked size: 13.3 kB |
| 51 | +npm notice shasum: 4344ee202484ab134227913a3af6f4a0ae5f0a59 |
| 52 | +npm notice integrity: sha512-NAItmPQyt6dya[...]m5N3kfPPJYj0w== |
| 53 | +npm notice total files: 7 |
| 54 | +npm notice |
| 55 | + |
| 56 | +This operation will publish your package to the npm registry. |
| 57 | +Do you wish to proceed? [y/N] |
| 58 | +``` |
| 59 | + |
| 60 | +The user can also provide a `--yes` option that can skip the prompt and keep current behavior: |
| 61 | + |
| 62 | +``` |
| 63 | +$ npm publish --publish-confirmation --yes |
| 64 | +``` |
| 65 | + |
| 66 | +## Prior Art |
| 67 | + |
| 68 | +Currently `npm publish` will automatically publish the tarball to the registry without any confirmation prompt in case the user does not have OTP enabled. |
0 commit comments