Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Publish allows adding invalid dist-tag #7275

Closed
2 tasks done
h10s opened this issue Mar 10, 2024 · 1 comment
Closed
2 tasks done

[BUG] Publish allows adding invalid dist-tag #7275

h10s opened this issue Mar 10, 2024 · 1 comment
Assignees
@reggi
Labels
Bug thing that needs fixing Priority 1 high priority issue Release 10.x

Comments

@h10s
Copy link

h10s commented Mar 10, 2024

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

Publish doesn't check the value of the --tag option. I can provide an invalid tag name and publish will proceed.

Expected Behavior

If the dist-tag is specified, publish checks it early on, prior to 2FA and sending a request to the registry.

Steps To Reproduce

  1. Change to a directory with a test package
  2. Change the package version, possibly using npm version patch
  3. Run npm publish --access=public --tag=@invalid

Environment

  • npm: 10.5.0
  • Node.js: v20.11.1
  • OS Name: macOS 13.6.4
  • System Model Name: MacBook Air
  • npm config:
; "user" config from /Users/hashtagchris/.npmrc

@npm:registry = "https://npm.pkg.github.com" 
//npm.pkg.github.com/:_authToken = (protected) 
//registry.npmjs.org/:_authToken = (protected) 
logs-max = 1000 

; node bin location = /Users/hashtagchris/.nvm/versions/node/v20.11.1/bin/node
; node version = v20.11.1
; npm local prefix = /private/tmp/unpub2
; npm version = 10.5.0
; cwd = /private/tmp/unpub2
; HOME = /Users/hashtagchris
; Run `npm config ls -l` to show all defaults.
@h10s h10s added Bug thing that needs fixing Needs Triage needs review for next steps Release 10.x labels Mar 10, 2024
@hashtagchris
Copy link
Contributor

Earlier PR that prevents invalid dist-tags for the npm dist-tag add command, but not npm publish: #7195

@karenjli karenjli added Priority 1 high priority issue and removed Needs Triage needs review for next steps labels Mar 13, 2024
@reggi reggi mentioned this issue May 1, 2024
Merged
@Santoshraj2 Santoshraj2 self-assigned this May 7, 2024
@reggi reggi closed this as completed May 8, 2024
@reggi reggi assigned reggi and unassigned Santoshraj2 May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@reggi reggi

Labels
Bug thing that needs fixing Priority 1 high priority issue Release 10.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@reggi @hashtagchris @karenjli @h10s @Santoshraj2