search

npm / rfcs

Public change requests/proposals & ideation
Other
729 stars 239 forks source link

[RRFC] New command for detecting availability of a package name #676

Open fabiospampinato opened 1 year ago

fabiospampinato commented 1 year ago

Motivation ("The Why")

It's kind of impossible to know if a package name is available without trying to publish a package with that name. As a result sometimes it's very frustrating to develop a new package, because once you are done NPM tells you that the name is already taken, often with an obscure error message, and you need to find another one.

Example

For example, NPM tells me that the ansi-strip package doesn't exit (https://www.npmjs.com/package/ansi-strip), but then I try to publish it and it tells me "npm ERR! 400 Bad Request - PUT https://registry.npmjs.org/ansi-strip - Cannot publish over previously published version "1.0.0", as if the package exists (I guess it's a private one or something?), and as if I've already published v1.

How

Current Behaviour

Frustration.

Desired Behaviour

Something like npm available ansi-strip that tells you if you can publish a new package with that name or not.

References

ljharb commented 1 year ago

+1, this would be super helpful.

Specifically, since npm's "name similarity" algorithm isn't public, there's no way to know if a package name is publishable until you actually try to publish it. It would be great to be able to know this in advance.

wraithgar commented 1 year ago

npm view is the best that npm can do in the absence of a registry having a route to query to get this information with the "name similarity" check baked in.

ljharb commented 1 year ago

How much work would it be to add such a route, given that the logic already exists registry-side in publish?

wraithgar commented 1 year ago

That is a question to ask the npm registry. This RFC repo is for the cli specifically.

Once a route exists in any registry, implementing it in the cli would be a very easy task.

ljharb commented 1 year ago

Gotcha. Does the registry have any public venue in which to ask? Filing a support ticket is a bit of a black box.

saquibkhan commented 1 year ago

IMHO availability of package name and publishable are 2 separate things. A package name could be available but still not publishable due to other security reasons such as typosquat etc.

To check availability npm view can be used, i think internally it uses https://registry.npmjs.org/{package-name}

@fabiospampinato lmk your thoughts and if we can close this issue

for above example

looks like this package was published and later unpublished and hence name not available

 curl https://registry.npmjs.org/ansi-strip
{"_id":"ansi-strip","_rev":"12-7df5fb22c7f6221e9ccd215025da66e7","name":"ansi-strip","time":{"created":"2018-06-17T01:43:47.813Z","1.0.0":"2018-06-17T01:43:47.862Z","modified":"2018-07-10T09:29:54.708Z","1.0.1":"2018-06-17T01:45:04.228Z","1.0.2":"2018-06-17T02:03:50.677Z","1.0.3":"2018-06-17T02:38:40.710Z","1.0.4":"2018-06-24T04:45:30.893Z","1.0.5":"2018-06-25T16:07:18.144Z","1.0.6":"2018-06-26T12:40:58.801Z","1.0.7":"2018-06-26T12:41:40.301Z","1.0.8":"2018-07-08T03:43:40.919Z","unpublished":{"time":"2018-07-10T09:29:54.708Z","versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8"]}},"_attachments":{}}
npm view ansi-strip
npm ERR! code E404
npm ERR! 404 Unpublished on 2018-07-10T09:29:54.708Z
npm ERR! 404
npm ERR! 404  'ansi-strip' is not in this registry.
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
fabiospampinato commented 1 year ago

By "availability" I explicitly meant "I can publish it", not "I can download it". npm view ansi-strip tells me that I cannot download it, but I cannot publish it either.

We need a "Can I publish a package with this name or not?" command.

ljharb commented 1 year ago

@saquibkhan indeed the reason this is important is because the question that needs answering is not "does this package exist?" but "will be i be able to publish a package with this name?" - and there currently isn't a way to do that except trying to do the actual publish.

fabiospampinato commented 1 year ago

I just hit a fun instance of this issue: I just published the v1.0.0 of a new package named "dettle-batch", problem is I can't see it on the website, and neither with npm view dettle-batch, but if I try to publish it again it tells me I can't publish over the already present v1.0.0.

So now I'm in a weird kind of limbo, did I actually publish this thing, or was there already a private module with this name?

I can try pushing a nonsense v1.0.1 I guess just to prod the registry, but like really there should just be dedicated commands for this stuff, prodding the registry with releases is what cavemen did.