-
Notifications
You must be signed in to change notification settings - Fork 259
RFC: Add publish confirmation prompt #96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
Closed
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
445af22
RFC: Add publish confirmation prompt
ruyadorno 299e813
Review based on feedback from OpenRFC call and comments
ruyadorno 14a81ef
Update accepted/0000-publish-prompt.md
ruyadorno 825a74f
Added non-tty and experimental flag example
ruyadorno 40c9895
Merge branch 'add-publish-confirmation-prompt' of github.com:ruyadorn…
ruyadorno 8129a02
Feedback from OpenRFC call
ruyadorno File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| # Publish prompt | ||
|
|
||
| ## Summary | ||
|
|
||
| Publishing a package should prompt a confirmation prompt, allowing users to validate their package info before uploading their package tarball. | ||
|
|
||
| ## Motivation | ||
|
|
||
| Breaking the prompt into a two-step operation allows for a validation of contents prior to uploading the package. | ||
|
|
||
| ## Detailed Explanation and Rationale | ||
|
|
||
| `npm publish` should ask for a confirmation prompt prior to uploading the package tarball. | ||
|
|
||
| Currently "publish" has a very nice **unintended UX** for users with 2FA enabled, in which it stops the publish process in order to ask for the OTP code, allowing for a review of the file contents (and even cancelling the process altogether) prior to uploading the tarball file. | ||
|
|
||
| A broader population of package authors can benefit from this UX if we formalize it. Allowing for review of contents and cancelation of package publishing. | ||
|
|
||
| ## Alternatives | ||
|
|
||
| 1. Not change it, just keep the current behavior? | ||
| 2. Implement it behind an _opt-in_ config option | ||
|
|
||
| ## Implementation | ||
|
|
||
| This is a breaking change from the current `npm publish` behavior, it would prompt the user for confirmation: | ||
|
ruyadorno marked this conversation as resolved.
Outdated
|
||
|
|
||
| ```sh | ||
| $ npm publish | ||
|
|
||
| npm notice | ||
| npm notice 📦 disparity@3.0.0 | ||
| npm notice === Tarball Contents === | ||
| npm notice 183B bin/disparity | ||
| npm notice 2.1kB disparity-cli.js | ||
| npm notice 4.3kB disparity.js | ||
| npm notice 999B package.json | ||
| npm notice 875B CHANGELOG.md | ||
| npm notice 1.1kB LICENSE.md | ||
| npm notice 3.7kB README.md | ||
| npm notice === Tarball Details === | ||
| npm notice name: disparity | ||
| npm notice version: 3.0.0 | ||
| npm notice filename: disparity-3.0.0.tgz | ||
| npm notice package size: 5.2 kB | ||
| npm notice unpacked size: 13.3 kB | ||
| npm notice shasum: 4344ee202484ab134227913a3af6f4a0ae5f0a59 | ||
| npm notice integrity: sha512-NAItmPQyt6dya[...]m5N3kfPPJYj0w== | ||
| npm notice total files: 7 | ||
| npm notice | ||
|
|
||
| This operation will publish your package to the npm registry. | ||
| Do you wish to proceed? [y/N] | ||
| ``` | ||
|
|
||
| The user can also provide a `--yes` option that can skip the prompt and keep current behavior: | ||
|
|
||
| ``` | ||
| $ npm publish --yes | ||
| ``` | ||
|
|
||
| ## Prior Art | ||
|
|
||
| Currently `npm publish` will automatically publish the tarball to the registry in case the user does not have OTP enabled. | ||
|
|
||
| ## Unresolved Questions and Bikeshedding | ||
|
|
||
| - Could be tricky to handle publishing of multiple packages in the context of a **workspace** environment. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.