@belym.a.2105/publish-please
v2.4.1
Published
Safe and highly functional replacement for `npm publish`.
Downloads
10
Maintainers
Readme
Publish, please!
There are numerous ways to "shoot yourself in the foot" using npm publish
. The purpose of this module is to replace
npm publish
for your packages with safe and more functional alternative, which will allow you to:
- Run tests or build steps before publishing (because
prepublish
is broken). - Perform check for the sensitive data in your package to be sure that you didn't leak it by accident (Further reading: Do not underestimate credentials leaks).
- Perform check for vulnerable dependencies using Node Security Project data.
- Check that you are in the correct git branch.
- Check that git tag matches version specified in the
package.json
. - Check that there are no uncommitted changes in the working tree.
- Check that there are no untracked files in the working tree.
- Force usage of the npm publish tag there necessary, so you'll be sure you're not publishing preview version of your package as a release version.
- Get release summary and publishing confirmation.
- Configure publishing using built-in configuration wizard.
Getting started
Setup process of publish-please is quite trivial - just run
npm install --save-dev publish-please
in your project's directory.
Once it finish installing, publish-please will automatically run it's configuration wizard, which will guide you through some simple steps to setup features you want to use:
If you forgot to configure something or just changed your mind and want to change configuration, just run
npm run publish-please config
to return to wizard.
So, once you've done with wizard from now on npm publish
for your package is disabled (Muahahaha :smiling_imp:):
But don't worry it's done for the good reason to prevent you or your co-workers run unsafe publishing process. Use awesome version instead:
npm run publish-please
Options
- prePublishScript - Specifies command that will be run before publish (e.g.
npm test
). Use it for builds and tests. Default:npm test
. - postPublishScript - Specifies command that will be run after successful publishing. Use it for release announcements, creating a GitHub release, uploading binaries, etc. Default: `` (no command).
- publishCommand - Specifies publishing command which will be used to publish the package. Default:
npm publish
. - publishTag - Specifies tag with which package will be published. See npm publish docs for more info. Default:
latest
. - confirm - Ask for the confirmation before publishing. Default:
true
.
Validations
- uncommittedChanges - Check that there are no uncommitted changes in the working tree. Default:
true
. - untrackedFiles - Check that there are no untracked files in the working tree. Default:
true
. - gitTag - Check that git tag matches version specified in the
package.json
. Default:true
. - branch - Check that current branch matches the specified branch. Default:
master
. - sensitiveData - Perform audit for the sensitive data. Default:
true
. - vulnerableDependencies - Perform vulnerable dependencies check using Node Security Project data. Default:
true
.
Sensitive information audit
Important note: tool provides some very basic sensitive data check. Do not rely on it fully. Always perform manual checks for the sensitive data in your packages.
Performed for the following items:
- Private SSH key
- Potential cryptographic private key
- Potential cryptographic key bundle
- Pidgin OTR private key
- Shell command history file
- MySQL client command history file
- PostgreSQL client command history file
- Ruby IRB console history file
- Pidgin chat client account configuration file
- Hexchat/XChat IRC client server list configuration file
- Irssi IRC client configuration file
- Recon-ng web reconnaissance framework API key database
- DBeaver SQL database manager configuration file
- Mutt e-mail client configuration file
- S3cmd configuration file
- T command-line Twitter client configuration file
- OpenVPN client configuration file
- Well, this is awkward... Gitrob configuration file
- Shell configuration file
- Shell profile configuration file
- Shell command alias configuration file
- Ruby On Rails secret token configuration file
- OmniAuth configuration file
- Carrierwave configuration file
- Ruby On Rails database schema file
- Potential Ruby On Rails database configuration file
- Django configuration file
- PHP configuration file
- KeePass password manager database file
- 1Password password manager database file
- Apple Keychain database file
- GNOME Keyring database file
- Log file
- Network traffic capture file
- SQL dump file
- GnuCash database file
- Contains word: backup
- Contains word: dump
- Contains word: password
- Contains words: private, key
- Jenkins publish over SSH plugin file
- Potential Jenkins credentials file
- Apache htpasswd file
- Configuration file for auto-login process
- KDE Wallet Manager database file
- Potential MediaWiki configuration file
- Tunnelblick VPN configuration file
- Rubygems credentials file
- Potential MSBuild publish profile
- PHP dotenv
Check out my other packages used by this tool
- cp-sugar - Some sugar for child_process module.
- elegant-status - Create elegant task status for CLI.
- pkgd - Get package publish info: package.json and file list.
- promisify-event - Promisify EventEmitter's event.