cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon npm

[BUG] Publish allows adding invalid dist-tag

Open h10s opened this issue 11 months ago • 1 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

Publish doesn't check the value of the --tag option. I can provide an invalid tag name and publish will proceed.

Expected Behavior

If the dist-tag is specified, publish checks it early on, prior to 2FA and sending a request to the registry.

Steps To Reproduce

  1. Change to a directory with a test package
  2. Change the package version, possibly using npm version patch
  3. Run npm publish --access=public --tag=@invalid

Environment

  • npm: 10.5.0
  • Node.js: v20.11.1
  • OS Name: macOS 13.6.4
  • System Model Name: MacBook Air
  • npm config:
; "user" config from /Users/hashtagchris/.npmrc

@npm:registry = "https://npm.pkg.github.com" 
//npm.pkg.github.com/:_authToken = (protected) 
//registry.npmjs.org/:_authToken = (protected) 
logs-max = 1000 

; node bin location = /Users/hashtagchris/.nvm/versions/node/v20.11.1/bin/node
; node version = v20.11.1
; npm local prefix = /private/tmp/unpub2
; npm version = 10.5.0
; cwd = /private/tmp/unpub2
; HOME = /Users/hashtagchris
; Run `npm config ls -l` to show all defaults.

h10s avatar Mar 10 '24 12:03 h10s

Earlier PR that prevents invalid dist-tags for the npm dist-tag add command, but not npm publish: https://github.com/npm/cli/pull/7195

hashtagchris avatar Mar 10 '24 12:03 hashtagchris