Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Unable to publish under same name as public registry packages

See original GitHub issue

For example, with this package.json:

{
  "name": "react",
  "version": "99.99.99",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC"
}

Basically I:

Created a new folder called “react”
Ran npm init + created a silly noop index.js file
Updated the version number to something big
Ran npm publish --registry my-registry.com

The npm cli tells me version 99.99.99 was added and indeed I see the tarball in s3.

However, when I go to install this package, it cannot be found. E.g. npm install react@99.99.99 --registry my-registry.com fails because the specified version cannot be found. When I inspect my package information in s3, sure enough version 99.99.99 is not listed as available.

Shadowing an existing module name may not be a supported use case, that’s cool, but what’s not so great is that there’s nothing stopping someone from installing a module on the public registry that clobbers one of my private package names. When this happens any time I install a new version of my private module all it’s prior meta information gets clobbered with whatever is on the public registry.

Issue Analytics

State:
Created 7 years ago
Reactions:3
Comments:9 (3 by maintainers)

Top GitHub Comments

1reaction

jtrussellcommented, Mar 14, 2017

My workaround/safeguard (which feels fine) is to only publish scoped packages under namespaces I own on the public registry.

0reactions

gillesdemeycommented, Oct 19, 2017

Hey folks, just got bitten by this today.

We’ve always published our beta versions <1.0.0 on our own private repository and decided to release a 1.0.0 version and also make that available publicly on the official NPM registry.

To my surprise our existing internal builds started failing when they couldn’t find the older versions of our scoped package.

Any ideas on how to force it to accept packages? 😃

EDIT:

For posterity, we’ve managed to work around the issue by renaming our package and publishing that to the NPM registry 👍

Top Results From Across the Web

Getting 404 when attempting to publish new package to NPM

You need to have registered "supericium" ( npm adduser ) as a username at the registry and be logged in ( npm login...

How to publish packages to npm (the way the industry does ...

If the package already exists on npm (because your package has the same name as another package on npm), you won't be able...

Unpublishing packages from the registry - npm Docs

Once a package is unpublished, republishing under the same name is blocked for 24 hours. If you've unpublished a package by mistake, we'd...

Conan packages in the Package Registry | GitLab

When you publish a package that has the same recipe ( package-name/version@user/channel ) as an existing package, the duplicate files are uploaded successfully ......

Publishing packages - Dart

If you accidentally publish a new version with either a missing dependency constraint or a dependency constraint that is too lax, then retracting...