There are numerous ways to "shoot yourself in the foot" using npm publish. The purpose of this module is to validate that your project is ready to be published in a safe way.

It checks the following:

• package.json file is valid
• build pass (unreleased)
• tests pass
• there is no sensitive data embedded in the package that will be sent to the registry
• there is no useless files (like tests files) embedded in the package that will be sent to the registry
• there are no vulnerable dependencies (unreleased)
• there are no uncommitted changes in the working tree
• there are no untracked files in the working tree
• current branch is master or release
• git tag matches version specified in the package.json
• all licenses declared in production dependencies are valid (unreleased)

If you are running node 8 or above, and the package.json file has an already existing prepublish script, you should rename that script to prepublishOnly before using release-checker.

• Run npm help scripts to get more details.

• local install

  npm install --save-dev release-checker

  Then add this script in the scripts section of the package.json file:

  "scripts": {
      "release-checker": "release-checker"
    },

• global install

  npm install -g release-checker

• local install

  npm run release-checker

• global install

  release-checker

• zero install

  npx release-checker

When you specify no option, all checkers will run.

if you want to run only specific checkers, use the command-line options specific to these checkers.

Ensure that current branch is master or release.

Ensure there are no uncommited files in the working tree.

npx release-checker --uncommited-files

Customize the sensitive or useless data checker. This will create, in the current directory, a .sensitivedata file that you can customize to fit your needs.

npx release-checker --customize-sensitivedata

Show help.

npx release-checker --help

Ensure there is no sensitive or useless data in the npm package.

npx release-checker --sensitivedata

Use this option when you want to run all checkers except specific ones.

For example this command will run all checkers except the test checker:

npx release-checker --skip-test

This other example will run all checkers except the test checker and the git-branch checker

npx release-checker --skip-test --skip-branch

The above command could be also rewritten to:

npx release-checker --skip-t --skip-b

Ensure that latest git tag matches package.json version

npx release-checker --tag

Ensure that command npm test is successfull.

npx release-checker --test

Ensure there are no untracked files in the working tree.

npx release-checker --untracked-files

This Checker checks there is no sensitive and no useless files inside the to-be-published package. This check performs only if npm version is 5.9.0 or above.

It will detect the following files:

• Benchmark files
• Configuration files
  • CI
  • eslint
  • GitHub
  • JetBrains
  • Visual Studio Code
• Coverage files
• Demo files
• Dependency directories
• Doc files
• Example files
• Log files
• Private SSH key
• Script files
• Secret files
• Source files
• Temp files
• Test files
• Zip files
  • Output of 'npm pack' command

These files are defined inside the built-in .sensitivedata file.

You may completely override this file by creating a .sensitivedata file in the root directory of your project so that this checker fits your needs:

• to create this file, just run the command:

npx release-checker --customize-sensitivedata

• if you create your own .sensitivedata file, and the package.json file has no files section, consider adding .sensitivedata to the .npmignore file.

• Ivan Nikulin
• Henri d'Orgeval

This project is a port of all validations provided by publish-please