@jsdevtools/npm-publish 2.0.0 → 2.2.0

package/README.md

@@ -31,7 +31,7 @@ This package can be used three different ways:
 
 - 🤖 A [**GitHub Action**](#github-action) as part of your CI/CD process
 
-- 🧩 A [**function**](#javascript-function) that you call in your JavaScript code
+- 🧩 A [**function**](#javascript-api) that you call in your JavaScript code
 
 - 🖥 A [**CLI**](#command-line-interface) that you run in your terminal
 
@@ -39,12 +39,37 @@ This package can be used three different ways:
 
 The v1 to v2 upgrade brought a few notable **breaking changes**. To migrate, make the following updates:
 
-- The `type` output is now an empty string instead of `none` when no release occurs
+- The `type` output is now an empty string instead of `'none'` when no release occurs
   ```diff
-  - - if: ${{ steps.publish.outputs.type != 'none' }}
-  + - if: ${{ steps.publish.outputs.type }}
-      run:  echo "Version changed!"
+    - run: echo "Version changed!"
+  -   if: ${{ steps.publish.outputs.type != 'none' }}
+  +   if: ${{ steps.publish.outputs.type }}
   ```
+- The `--ignore-scripts` option is now passed to `npm publish` as a security precaution. If you define any publish lifecycle scripts - `prepublishOnly`, `prepack`, `prepare`, `postpack`, `publish`, `postpublish` - run them explicitly or set the `ignore-scripts` input to `false`.
+  ```diff
+    with:
+      token: ${{ secrets.NPM_TOKEN }}
+  +   ignore-scripts: false
+  ```
+- The workflow's `.npmrc` file is no longer modified. If you have any workarounds to adjust for this misbehavior - for example, if you're using `actions/setup-node` to configure `.npmrc` - you should remove them.
+
+  ```diff
+    - uses: actions/setup-node@v3
+      with:
+        node-version: '18'
+        registry-url: https://registry.npmjs.org/
+
+    - uses: JS-DevTools/npm-publish@v1
+      with:
+        token: ${{ secrets.NPM_TOKEN }}
+
+    - name: Do some more stuff with npm
+      run: npm whoami
+      env:
+  -     INPUT_TOKEN: ${{ secrets.NPM_TOKEN }}
+  +     NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  ```
+
 - The `check-version` and `greater-version-only` options have been removed and replaced with `strategy`.
   - Use `strategy: all` (default) to publish all versions that do not yet exist in the registry.
     ```diff
@@ -62,10 +87,24 @@ The v1 to v2 upgrade brought a few notable **breaking changes**. To migrate, mak
     -   greater-version-only: true
     +   strategy: upgrade
     ```
-  - `check-version: false` has been removed. You don't need this action if you're not checking already published versions; use `npm` directly, instead.
+  - `check-version: false` has been removed. You may not need this action if you're not checking already published versions; [you can `npm` directly][publishing-nodejs-packages], instead.
+    ```diff
+    - - uses: JS-DevTools/npm-publish@v1
+    -   with:
+    -     token: ${{ secrets.NPM_TOKEN }}
+    -     check-version: false
+    + - uses: actions/setup-node@v3
+    +   with:
+    +     node-version: '18'
+    +     registry-url: https://registry.npmjs.org/
+    + - run: npm publish
+    +   env:
+    +     NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+    ```
 
 See the [change log][] for more details and other changes in the v2 release.
 
+[publishing-nodejs-packages]: https://docs.github.com/actions/publishing-packages/publishing-nodejs-packages
 [change log]: https://github.com/JS-DevTools/npm-publish/releases
 
 ## GitHub Action
@@ -73,7 +112,9 @@ See the [change log][] for more details and other changes in the v2 release.
 To use the GitHub Action, you'll need to add it as a step in your [workflow file][]. By default, the only thing you need to do is set the `token` parameter to your [npm authentication token][].
 
 ```yaml
-on: push
+on:
+  push:
+    branches: main
 
 jobs:
   publish:
@@ -82,7 +123,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-node@v3
         with:
-          node-version: 18
+          node-version: "18"
       - run: npm ci
       - run: npm test
       - uses: JS-DevTools/npm-publish@v2
@@ -97,18 +138,24 @@ jobs:
 
 You can set any or all of the following input parameters using `with`:
 
-| Name       | Type                   | Default                       | Description                                                                   |
-| ---------- | ---------------------- | ----------------------------- | ----------------------------------------------------------------------------- |
-| `token`    | string                 | **required**                  | Authentication token to use with the configured registry.                     |
-| `registry` | string                 | `https://registry.npmjs.org/` | Registry URL to use.                                                          |
-| `package`  | string                 | Current working directory     | Path to a package directory, a `package.json`, or a packed `.tgz` to publish  |
-| `tag`      | string                 | `latest`                      | [Distribution tag][npm-tag] to publish to.                                    |
-| `access`   | `public`, `restricted` | [npm defaults][npm-access]    | Whether the package should be publicly visible or restricted.                 |
-| `strategy` | `all`, `upgrade`       | `all`                         | Use `all` to publish all unique versions, `upgrade` for only semver upgrades. |
-| `dry-run`  | boolean                | `false`                       | Run `npm publish` with the `--dry-run` flag to prevent publication.           |
+| Name             | Type                   | Default                       | Description                                                                      |
+| ---------------- | ---------------------- | ----------------------------- | -------------------------------------------------------------------------------- |
+| `token`          | string                 | **required**                  | Authentication token to use with the configured registry.                        |
+| `registry`¹      | string                 | `https://registry.npmjs.org/` | Registry URL to use.                                                             |
+| `package`        | string                 | Current working directory     | Path to a package directory, a `package.json`, or a packed `.tgz` to publish.    |
+| `tag`¹           | string                 | `latest`                      | [Distribution tag][npm-tag] to publish to.                                       |
+| `access`¹        | `public`, `restricted` | [npm defaults][npm-access]    | Whether the package should be publicly visible or restricted.                    |
+| `provenance`¹ ²  | boolean                | `false`                       | Run `npm publish` with the `--provenance` flag to add [provenance][] statements. |
+| `strategy`       | `all`, `upgrade`       | `all`                         | Use `all` to publish all unique versions, `upgrade` for only semver upgrades.    |
+| `ignore-scripts` | boolean                | `true`                        | Run `npm publish` with the `--ignore-scripts` flag as a security precaution.     |
+| `dry-run`        | boolean                | `false`                       | Run `npm publish` with the `--dry-run` flag to prevent publication.              |
+
+1. May be specified using `publishConfig` in `package.json`.
+2. Provenance requires npm `>=9.5.0`.
 
 [npm-tag]: https://docs.npmjs.com/cli/v9/commands/npm-publish#tag
 [npm-access]: https://docs.npmjs.com/cli/v9/commands/npm-publish#access
+[provenance]: https://docs.npmjs.com/generating-provenance-statements
 
 ### Output
 
@@ -135,11 +182,12 @@ steps:
 | `old-version` | string  | Previously published version on `tag` or empty if no previous version on tag.                                 |
 | `tag`         | string  | [Distribution tag][npm-tag] the package was published to.                                                     |
 | `access`      | string  | [Access level][npm-access] the package was published with, or `default` if scoped-package defaults were used. |
+| `registry`    | string  | Registry the package was published to.                                                                        |
 | `dry-run`     | boolean | Whether `npm publish` was run in "dry run" mode.                                                              |
 
 [semver release type]: https://github.com/npm/node-semver#release_types
 
-## JavaScript Function
+## JavaScript API
 
 To use npm-package in your JavaScript code, you'll need to install it using [npm][] or other package manager of choice:
 
@@ -166,17 +214,22 @@ As shown in the example above, you should pass an options object to the `npmPubl
 import type { Options } from "@jsdevtools/npm-publish";
 ```
 
-| Name                 | Type                   | Default                       | Description                                                                   |
-| -------------------- | ---------------------- | ----------------------------- | ----------------------------------------------------------------------------- |
-| `token`              | string                 | **required**                  | Authentication token to use with the configured registry.                     |
-| `registry`           | string, `URL`          | `https://registry.npmjs.org/` | Registry URL to use.                                                          |
-| `package`            | string                 | Current working directory     | Path to a package directory, a `package.json`, or a packed `.tgz` to publish  |
-| `tag`                | string                 | `latest`                      | [Distribution tag][npm-tag] to publish to.                                    |
-| `access`             | `public`, `restricted` | [npm defaults][npm-access]    | Whether the package should be publicly visible or restricted.                 |
-| `strategy`           | `all`, `upgrade`       | `all`                         | Use `all` to publish all unique versions, `upgrade` for only semver upgrades. |
-| `dryRun`             | boolean                | `false`                       | Run `npm publish` with the `--dry-run` flag to prevent publication.           |
-| `logger`             | object                 | `undefined`                   | Logging interface with `debug`, `info`, and `error` log methods.              |
-| `temporaryDirectory` | string                 | `os.tmpdir()`                 | Temporary directory to hold a generated `.npmrc` file                         |
+| Name                 | Type                   | Default                       | Description                                                                      |
+| -------------------- | ---------------------- | ----------------------------- | -------------------------------------------------------------------------------- |
+| `token`              | string                 | **required**                  | Authentication token to use with the configured registry.                        |
+| `registry`¹          | string, `URL`          | `https://registry.npmjs.org/` | Registry URL to use.                                                             |
+| `package`            | string                 | Current working directory     | Path to a package directory, a `package.json`, or a packed `.tgz` to publish.    |
+| `tag`¹               | string                 | `latest`                      | [Distribution tag][npm-tag] to publish to.                                       |
+| `access`¹            | `public`, `restricted` | [npm defaults][npm-access]    | Whether the package should be publicly visible or restricted.                    |
+| `provenance`¹ ²      | boolean                | `false`                       | Run `npm publish` with the `--provenance` flag to add [provenance][] statements. |
+| `strategy`           | `all`, `upgrade`       | `all`                         | Use `all` to publish all unique versions, `upgrade` for only semver upgrades.    |
+| `ignoreScripts`      | boolean                | `true`                        | Run `npm publish` with the `--ignore-scripts` flag as a security precaution.     |
+| `dryRun`             | boolean                | `false`                       | Run `npm publish` with the `--dry-run` flag to prevent publication.              |
+| `logger`             | object                 | `undefined`                   | Logging interface with `debug`, `info`, and `error` log methods.                 |
+| `temporaryDirectory` | string                 | `os.tmpdir()`                 | Temporary directory to hold a generated `.npmrc` file                            |
+
+1. May be specified using `publishConfig` in `package.json`.
+2. Provenance requires npm `>=9.5.0`.
 
 ### Output
 
@@ -195,6 +248,7 @@ import type { Results } from "@jsdevtools/npm-publish";
 | `oldVersion` | Optional string | Previously published version on `tag` or `undefined` if no previous version.                                    |
 | `tag`        | string          | [Distribution tag][npm-tag] that the package was published to.                                                  |
 | `access`     | Optional string | [Access level][npm-access] the package was published with, or `undefined` if scoped-package defaults were used. |
+| `registry`   | `URL`           | Registry the package was published to.                                                                          |
 | `dryRun`     | boolean         | Whether `npm publish` was run in "dry run" mode.                                                                |
 
 ## Command Line Interface
@@ -214,7 +268,7 @@ npx npm-publish --token YOUR_NPM_AUTH_TOKEN_HERE
 You can customize your call with options to change the registry, package, etc.
 
 ```bash
-npm-publish --token YOUR_NPM_AUTH_TOKEN_HERE --registry http://example.com ./path/to/package
+npx npm-publish --token YOUR_NPM_AUTH_TOKEN_HERE --registry http://example.com ./path/to/package
 ```
 
 ### Options
@@ -243,17 +297,23 @@ Options:
                           Defaults to "latest".
 
   --access <access>       Package access, may be "public" or "restricted".
-                          See documentation for details.
+                          See npm documentation for details.
+
+  --provenance            Publish with provenance statements.
+                          See npm documentation for details.
 
   --strategy <strategy>   Publish strategy, may be "all" or "upgrade".
                           Defaults to "all", see documentation for details.
 
+  --no-ignore-scripts     Allow lifecycle scripts, which are disabled by default
+                          as a security precaution. Defaults to false.
+
   --dry-run               Do not actually publish anything.
   --quiet                 Only print errors.
   --debug                 Print debug logs.
 
   -v, --version           Print the version number.
-  -h --help               Show usage text.
+  -h, --help              Show usage text.
 
 Examples:
 

package/lib/action/core.d.ts

@@ -19,9 +19,9 @@ export declare function getRequiredSecretInput(name: string): string;
  * Get a boolean input by name.
  *
  * @param name Input name
- * @returns True if value is "true", false if not
+ * @returns True if value is "true", false if "false", undefined if unset
  */
-export declare function getBooleanInput(name: string): boolean;
+export declare function getBooleanInput(name: string): boolean | undefined;
 /**
  * Set the action as failed due to an error.
  *

package/lib/action/core.js

@@ -36,10 +36,15 @@ exports.getRequiredSecretInput = getRequiredSecretInput;
  * Get a boolean input by name.
  *
  * @param name Input name
- * @returns True if value is "true", false if not
+ * @returns True if value is "true", false if "false", undefined if unset
  */
 function getBooleanInput(name) {
-    return (0, core_1.getInput)(name) === "true";
+    const inputString = (0, core_1.getInput)(name).toLowerCase();
+    if (inputString === "true")
+        return true;
+    if (inputString === "false")
+        return false;
+    return undefined;
 }
 exports.getBooleanInput = getBooleanInput;
 /**

package/lib/action/core.js.map

@@ -1 +1 @@
-{"version":3,"file":"core.js","sourceRoot":"","sources":["../../src/action/core.ts"],"names":[],"mappings":";;;AAAA,uCAAuC;AACvC,wCAQuB;AAIvB,mDAAmD;AACtC,QAAA,MAAM,GAAW;IAC5B,KAAK,EAAE,YAAU;IACjB,IAAI,EAAE,WAAS;IACf,KAAK,EAAE,YAAU;CAClB,CAAC;AAEF;;;;;GAKG;AACH,SAAgB,QAAQ,CAAmB,IAAY;IACrD,MAAM,WAAW,GAAG,IAAA,eAAU,EAAC,IAAI,CAAC,CAAC;IACrC,OAAO,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAE,WAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;AACjE,CAAC;AAHD,4BAGC;AAED;;;;;GAKG;AACH,SAAgB,sBAAsB,CAAC,IAAY;IACjD,MAAM,WAAW,GAAG,IAAA,eAAU,EAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IACzD,IAAA,gBAAW,EAAC,WAAW,CAAC,CAAC;IACzB,OAAO,WAAW,CAAC;AACrB,CAAC;AAJD,wDAIC;AAED;;;;;GAKG;AACH,SAAgB,eAAe,CAAC,IAAY;IAC1C,OAAO,IAAA,eAAU,EAAC,IAAI,CAAC,KAAK,MAAM,CAAC;AACrC,CAAC;AAFD,0CAEC;AAED;;;;GAIG;AACH,SAAgB,SAAS,CAAC,KAAc;IACtC,IAAA,gBAAW,EAAC,KAAc,CAAC,CAAC;AAC9B,CAAC;AAFD,8BAEC;AAuBD,+CAA+C;AAC/C,SAAgB,SAAS,CACvB,IAAY,EACZ,KAAmC,EACnC,YAA2C;IAE3C,IAAA,gBAAW,EAAC,IAAI,EAAE,KAAK,IAAI,YAAY,CAAC,CAAC;AAC3C,CAAC;AAND,8BAMC"}
+{"version":3,"file":"core.js","sourceRoot":"","sources":["../../src/action/core.ts"],"names":[],"mappings":";;;AAAA,uCAAuC;AACvC,wCAQuB;AAIvB,mDAAmD;AACtC,QAAA,MAAM,GAAW;IAC5B,KAAK,EAAE,YAAU;IACjB,IAAI,EAAE,WAAS;IACf,KAAK,EAAE,YAAU;CAClB,CAAC;AAEF;;;;;GAKG;AACH,SAAgB,QAAQ,CAAmB,IAAY;IACrD,MAAM,WAAW,GAAG,IAAA,eAAU,EAAC,IAAI,CAAC,CAAC;IACrC,OAAO,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAE,WAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;AACjE,CAAC;AAHD,4BAGC;AAED;;;;;GAKG;AACH,SAAgB,sBAAsB,CAAC,IAAY;IACjD,MAAM,WAAW,GAAG,IAAA,eAAU,EAAC,IAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IACzD,IAAA,gBAAW,EAAC,WAAW,CAAC,CAAC;IACzB,OAAO,WAAW,CAAC;AACrB,CAAC;AAJD,wDAIC;AAED;;;;;GAKG;AACH,SAAgB,eAAe,CAAC,IAAY;IAC1C,MAAM,WAAW,GAAG,IAAA,eAAU,EAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAEnD,IAAI,WAAW,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,WAAW,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,SAAS,CAAC;AACnB,CAAC;AAND,0CAMC;AAED;;;;GAIG;AACH,SAAgB,SAAS,CAAC,KAAc;IACtC,IAAA,gBAAW,EAAC,KAAc,CAAC,CAAC;AAC9B,CAAC;AAFD,8BAEC;AAuBD,+CAA+C;AAC/C,SAAgB,SAAS,CACvB,IAAY,EACZ,KAAmC,EACnC,YAA2C;IAE3C,IAAA,gBAAW,EAAC,IAAI,EAAE,KAAK,IAAI,YAAY,CAAC,CAAC;AAC3C,CAAC;AAND,8BAMC"}

package/lib/action/main.js

@@ -34,7 +34,9 @@ async function run() {
         package: core.getInput("package"),
         tag: core.getInput("tag"),
         access: core.getInput("access"),
+        provenance: core.getBooleanInput("provenance"),
         strategy: core.getInput("strategy"),
+        ignoreScripts: core.getBooleanInput("ignore-scripts"),
         dryRun: core.getBooleanInput("dry-run"),
         logger: core.logger,
         temporaryDirectory: process.env["RUNNER_TEMP"],

package/lib/action/main.js.map

@@ -1 +1 @@
-{"version":3,"file":"main.js","sourceRoot":"","sources":["../../src/action/main.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,yBAAyB;AACzB,0CAAyC;AACzC,gDAAkC;AAElC,sBAAsB;AACtB,KAAK,UAAU,GAAG;IAChB,MAAM,OAAO,GAAG,MAAM,IAAA,qBAAU,EAAC;QAC/B,KAAK,EAAE,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC;QAC3C,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QACnC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QACjC,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QACzB,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC/B,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QACnC,MAAM,EAAE,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC;QACvC,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,kBAAkB,EAAE,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;KAC/C,CAAC,CAAC;IAEH,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IACrC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IACrC,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC3C,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACzC,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IACtD,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAClD,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACpD,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC7C,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;AAC5C,CAAC;AAED,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,KAAY,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC"}
+{"version":3,"file":"main.js","sourceRoot":"","sources":["../../src/action/main.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,yBAAyB;AACzB,0CAAyC;AACzC,gDAAkC;AAElC,sBAAsB;AACtB,KAAK,UAAU,GAAG;IAChB,MAAM,OAAO,GAAG,MAAM,IAAA,qBAAU,EAAC;QAC/B,KAAK,EAAE,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC;QAC3C,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QACnC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QACjC,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QACzB,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC/B,UAAU,EAAE,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC;QAC9C,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QACnC,aAAa,EAAE,IAAI,CAAC,eAAe,CAAC,gBAAgB,CAAC;QACrD,MAAM,EAAE,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC;QACvC,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,kBAAkB,EAAE,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;KAC/C,CAAC,CAAC;IAEH,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IACrC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;IACrC,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC3C,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACzC,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IACtD,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAClD,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACpD,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC7C,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;AAC5C,CAAC;AAED,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,KAAY,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC"}

package/lib/cli/index.d.ts

@@ -1,4 +1,4 @@
-export declare const USAGE = "\nUsage:\n\n  npm-publish <options> [package]\n\nArguments:\n\n  package                 The path to the package to publish.\n                          May be a directory, package.json, or .tgz file.\n                          Defaults to the package in the current directory.\n\nOptions:\n\n  --token <token>         (Required) npm authentication token.\n\n  --registry <url>        Registry to read from and write to.\n                          Defaults to \"https://registry.npmjs.org/\".\n\n  --tag <tag>             The distribution tag to check against and publish to.\n                          Defaults to \"latest\".\n\n  --access <access>       Package access, may be \"public\" or \"restricted\".\n                          See documentation for details.\n\n  --strategy <strategy>   Publish strategy, may be \"all\" or \"upgrade\".\n                          Defaults to \"all\", see documentation for details.\n\n  --dry-run               Do not actually publish anything.\n  --quiet                 Only print errors.\n  --debug                 Print debug logs.\n\n  -v, --version           Print the version number.\n  -h, --help              Show usage text.\n\nExamples:\n\n  $ npm-publish --token abc123 ./my-package\n";
+export declare const USAGE = "\nUsage:\n\n  npm-publish <options> [package]\n\nArguments:\n\n  package                 The path to the package to publish.\n                          May be a directory, package.json, or .tgz file.\n                          Defaults to the package in the current directory.\n\nOptions:\n\n  --token <token>         (Required) npm authentication token.\n\n  --registry <url>        Registry to read from and write to.\n                          Defaults to \"https://registry.npmjs.org/\".\n\n  --tag <tag>             The distribution tag to check against and publish to.\n                          Defaults to \"latest\".\n\n  --access <access>       Package access, may be \"public\" or \"restricted\".\n                          See npm documentation for details.\n\n  --provenance            Publish with provenance statements.\n                          See npm documentation for details.\n\n  --strategy <strategy>   Publish strategy, may be \"all\" or \"upgrade\".\n                          Defaults to \"all\", see documentation for details.\n\n  --ignore-scripts        Ignore lifecycle scripts as a security precaution.\n                          Defaults to true.\n\n  --dry-run               Do not actually publish anything.\n  --quiet                 Only print errors.\n  --debug                 Print debug logs.\n\n  -v, --version           Print the version number.\n  -h, --help              Show usage text.\n\nExamples:\n\n  $ npm-publish --token abc123 ./my-package\n";
 /**
  * The main entry point of the CLI
  *

package/lib/cli/index.js

@@ -25,11 +25,17 @@ Options:
                           Defaults to "latest".
 
   --access <access>       Package access, may be "public" or "restricted".
-                          See documentation for details.
+                          See npm documentation for details.
+
+  --provenance            Publish with provenance statements.
+                          See npm documentation for details.
 
   --strategy <strategy>   Publish strategy, may be "all" or "upgrade".
                           Defaults to "all", see documentation for details.
 
+  --ignore-scripts        Ignore lifecycle scripts as a security precaution.
+                          Defaults to true.
+
   --dry-run               Do not actually publish anything.
   --quiet                 Only print errors.
   --debug                 Print debug logs.

package/lib/cli/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";;;AAAA,0CAAsD;AACtD,qEAA6D;AAEhD,QAAA,KAAK,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAqCpB,CAAC;AAEF;;;;;GAKG;AACI,KAAK,UAAU,IAAI,CAAC,IAAc,EAAE,OAAe;IACxD,MAAM,YAAY,GAAG,IAAA,0CAAiB,EAAC,IAAI,CAAC,CAAC;IAE7C,IAAI,YAAY,CAAC,IAAI,EAAE;QACrB,OAAO,CAAC,IAAI,CAAC,aAAK,CAAC,CAAC;QACpB,OAAO;KACR;IAED,IAAI,YAAY,CAAC,OAAO,EAAE;QACxB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACtB,OAAO;KACR;IAED,MAAM,MAAM,GAAW;QACrB,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,IAAI,EAAE,YAAY,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;QAC7D,KAAK,EAAE,YAAY,CAAC,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;KAC/D,CAAC;IAEF,MAAM,IAAA,qBAAU,EAAC,EAAE,GAAG,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;AACxD,CAAC;AApBD,oBAoBC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";;;AAAA,0CAAsD;AACtD,qEAA6D;AAEhD,QAAA,KAAK,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2CpB,CAAC;AAEF;;;;;GAKG;AACI,KAAK,UAAU,IAAI,CAAC,IAAc,EAAE,OAAe;IACxD,MAAM,YAAY,GAAG,IAAA,0CAAiB,EAAC,IAAI,CAAC,CAAC;IAE7C,IAAI,YAAY,CAAC,IAAI,EAAE;QACrB,OAAO,CAAC,IAAI,CAAC,aAAK,CAAC,CAAC;QACpB,OAAO;KACR;IAED,IAAI,YAAY,CAAC,OAAO,EAAE;QACxB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACtB,OAAO;KACR;IAED,MAAM,MAAM,GAAW;QACrB,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,IAAI,EAAE,YAAY,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;QAC7D,KAAK,EAAE,YAAY,CAAC,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;KAC/D,CAAC;IAEF,MAAM,IAAA,qBAAU,EAAC,EAAE,GAAG,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;AACxD,CAAC;AApBD,oBAoBC"}

package/lib/cli/parse-cli-arguments.js

@@ -12,7 +12,9 @@ const ARGUMENTS_OPTIONS = [
     { name: "registry", type: String },
     { name: "tag", type: String },
     { name: "access", type: String },
+    { name: "provenance", type: Boolean },
     { name: "strategy", type: String },
+    { name: "no-ignore-scripts", type: Boolean },
     { name: "dry-run", type: Boolean },
     { name: "quiet", type: Boolean },
     { name: "debug", type: Boolean },
@@ -26,7 +28,12 @@ const ARGUMENTS_OPTIONS = [
  * @returns A parsed object of options.
  */
 function parseCliArguments(argv) {
-    const { help, version, quiet, debug, ...options } = (0, command_line_args_1.default)(ARGUMENTS_OPTIONS, { argv, camelCase: true });
+    const { help, version, quiet, debug, ...optionFlags } = (0, command_line_args_1.default)(ARGUMENTS_OPTIONS, { argv, camelCase: true });
+    const options = Object.fromEntries(Object.entries(optionFlags).map(([key, value]) => {
+        return key === "noIgnoreScripts"
+            ? ["ignoreScripts", !value]
+            : [key, value];
+    }));
     return {
         help: Boolean(help),
         version: Boolean(version),

package/lib/cli/parse-cli-arguments.js.map

@@ -1 +1 @@
-{"version":3,"file":"parse-cli-arguments.js","sourceRoot":"","sources":["../../src/cli/parse-cli-arguments.ts"],"names":[],"mappings":";AAAA,2CAA2C;;;;;;AAE3C,0EAAgD;AAGhD,MAAM,iBAAiB,GAAG;IACxB,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE;IACtD,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE;IAC/B,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE;IAClC,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE;IAC7B,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE;IAChC,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE;IAClC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE;IAClC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE;IAChC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE;IAChC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE;IAC9C,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE;CAC5C,CAAC;AAWF;;;;;GAKG;AACH,SAAgB,iBAAiB,CAAC,IAAc;IAC9C,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,OAAO,EAAE,GAAG,IAAA,2BAAe,EACjE,iBAAiB,EACjB,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAC1B,CAAC;IAEF,OAAO;QACL,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC;QACnB,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC;QACzB,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC;QACrB,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC;QACrB,OAAO,EAAE,OAAkB;KAC5B,CAAC;AACJ,CAAC;AAbD,8CAaC"}
+{"version":3,"file":"parse-cli-arguments.js","sourceRoot":"","sources":["../../src/cli/parse-cli-arguments.ts"],"names":[],"mappings":";AAAA,2CAA2C;;;;;;AAE3C,0EAAgD;AAGhD,MAAM,iBAAiB,GAAG;IACxB,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE;IACtD,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE;IAC/B,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE;IAClC,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE;IAC7B,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE;IAChC,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,OAAO,EAAE;IACrC,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE;IAClC,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,OAAO,EAAE;IAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE;IAClC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE;IAChC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE;IAChC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE;IAC9C,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE;CAC5C,CAAC;AAWF;;;;;GAKG;AACH,SAAgB,iBAAiB,CAAC,IAAc;IAC9C,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,WAAW,EAAE,GAAG,IAAA,2BAAe,EACrE,iBAAiB,EACjB,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAC1B,CAAC;IAEF,MAAM,OAAO,GAAG,MAAM,CAAC,WAAW,CAChC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;QAC/C,OAAO,GAAG,KAAK,iBAAiB;YAC9B,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC,KAAK,CAAC;YAC3B,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACnB,CAAC,CAAC,CACH,CAAC;IAEF,OAAO;QACL,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC;QACnB,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC;QACzB,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC;QACrB,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC;QACrB,OAAO,EAAE,OAAkB;KAC5B,CAAC;AACJ,CAAC;AArBD,8CAqBC"}

package/lib/compare-and-publish/compare-and-publish.d.ts

@@ -0,0 +1,21 @@
+import type { PackageManifest } from "../read-manifest.js";
+import type { NormalizedOptions } from "../normalize-options.js";
+import { type NpmCliEnvironment } from "../npm/index.js";
+import { type VersionComparison } from "./compare-versions.js";
+export interface PublishResult extends VersionComparison {
+    id: string | undefined;
+    files: PublishFile[];
+}
+export interface PublishFile {
+    path: string;
+    size: number;
+}
+/**
+ * Get the currently published versions of a package and publish if needed.
+ *
+ * @param manifest The package to potentially publish.
+ * @param options Configuration options.
+ * @param environment Environment variables for the npm cli.
+ * @returns Information about the publish, including if it occurred.
+ */
+export declare function compareAndPublish(manifest: PackageManifest, options: NormalizedOptions, environment: NpmCliEnvironment): Promise<PublishResult>;

package/lib/compare-and-publish/compare-and-publish.js

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.compareAndPublish = void 0;
+const index_js_1 = require("../npm/index.js");
+const compare_versions_js_1 = require("./compare-versions.js");
+const get_arguments_js_1 = require("./get-arguments.js");
+/**
+ * Get the currently published versions of a package and publish if needed.
+ *
+ * @param manifest The package to potentially publish.
+ * @param options Configuration options.
+ * @param environment Environment variables for the npm cli.
+ * @returns Information about the publish, including if it occurred.
+ */
+async function compareAndPublish(manifest, options, environment) {
+    const { name, version, packageSpec } = manifest;
+    const cliOptions = {
+        environment,
+        ignoreScripts: options.ignoreScripts.value,
+        logger: options.logger,
+    };
+    const viewArguments = (0, get_arguments_js_1.getViewArguments)(name, options);
+    const publishArguments = (0, get_arguments_js_1.getPublishArguments)(packageSpec, options);
+    let viewCall = await (0, index_js_1.callNpmCli)(index_js_1.VIEW, viewArguments, cliOptions);
+    // `npm view` will succeed with no output the package exists in the registry
+    // with no `latest` tag. This is only possible with third-party registries.
+    // https://github.com/npm/cli/issues/6408
+    if (!viewCall.successData && !viewCall.error) {
+        // Retry the call to `npm view` with the configured publish tag,
+        // to at least try to get something.
+        const viewWithTagArguments = (0, get_arguments_js_1.getViewArguments)(name, options, true);
+        viewCall = await (0, index_js_1.callNpmCli)(index_js_1.VIEW, viewWithTagArguments, cliOptions);
+    }
+    if (viewCall.error && viewCall.errorCode !== index_js_1.E404) {
+        throw viewCall.error;
+    }
+    const comparison = (0, compare_versions_js_1.compareVersions)(version, viewCall.successData, options);
+    const publishCall = comparison.type
+        ? await (0, index_js_1.callNpmCli)(index_js_1.PUBLISH, publishArguments, cliOptions)
+        : { successData: undefined, errorCode: undefined, error: undefined };
+    if (publishCall.error && publishCall.errorCode !== index_js_1.EPUBLISHCONFLICT) {
+        throw publishCall.error;
+    }
+    const { successData: publishData } = publishCall;
+    return {
+        id: publishData?.id,
+        files: publishData?.files ?? [],
+        type: publishData ? comparison.type : undefined,
+        oldVersion: comparison.oldVersion,
+    };
+}
+exports.compareAndPublish = compareAndPublish;
+//# sourceMappingURL=compare-and-publish.js.map

package/lib/compare-and-publish/compare-and-publish.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compare-and-publish.js","sourceRoot":"","sources":["../../src/compare-and-publish/compare-and-publish.ts"],"names":[],"mappings":";;;AAEA,8CAOyB;AACzB,+DAAgF;AAChF,yDAA2E;AAY3E;;;;;;;GAOG;AACI,KAAK,UAAU,iBAAiB,CACrC,QAAyB,EACzB,OAA0B,EAC1B,WAA8B;IAE9B,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,QAAQ,CAAC;IAChD,MAAM,UAAU,GAAG;QACjB,WAAW;QACX,aAAa,EAAE,OAAO,CAAC,aAAa,CAAC,KAAK;QAC1C,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC;IAEF,MAAM,aAAa,GAAG,IAAA,mCAAgB,EAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACtD,MAAM,gBAAgB,GAAG,IAAA,sCAAmB,EAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IACnE,IAAI,QAAQ,GAAG,MAAM,IAAA,qBAAU,EAAC,eAAI,EAAE,aAAa,EAAE,UAAU,CAAC,CAAC;IAEjE,4EAA4E;IAC5E,2EAA2E;IAC3E,yCAAyC;IACzC,IAAI,CAAC,QAAQ,CAAC,WAAW,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE;QAC5C,gEAAgE;QAChE,oCAAoC;QACpC,MAAM,oBAAoB,GAAG,IAAA,mCAAgB,EAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QACnE,QAAQ,GAAG,MAAM,IAAA,qBAAU,EAAC,eAAI,EAAE,oBAAoB,EAAE,UAAU,CAAC,CAAC;KACrE;IAED,IAAI,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,SAAS,KAAK,eAAI,EAAE;QACjD,MAAM,QAAQ,CAAC,KAAK,CAAC;KACtB;IAED,MAAM,UAAU,GAAG,IAAA,qCAAe,EAAC,OAAO,EAAE,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAC3E,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI;QACjC,CAAC,CAAC,MAAM,IAAA,qBAAU,EAAC,kBAAO,EAAE,gBAAgB,EAAE,UAAU,CAAC;QACzD,CAAC,CAAC,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;IAEvE,IAAI,WAAW,CAAC,KAAK,IAAI,WAAW,CAAC,SAAS,KAAK,2BAAgB,EAAE;QACnE,MAAM,WAAW,CAAC,KAAK,CAAC;KACzB;IAED,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,GAAG,WAAW,CAAC;IAEjD,OAAO;QACL,EAAE,EAAE,WAAW,EAAE,EAAE;QACnB,KAAK,EAAE,WAAW,EAAE,KAAK,IAAI,EAAE;QAC/B,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;QAC/C,UAAU,EAAE,UAAU,CAAC,UAAU;KAClC,CAAC;AACJ,CAAC;AA/CD,8CA+CC"}

package/lib/compare-and-publish/compare-versions.d.ts

@@ -0,0 +1,16 @@
+import type { NormalizedOptions } from "../normalize-options.js";
+import type { ReleaseType } from "../results.js";
+import type { NpmViewData } from "../npm/index.js";
+export interface VersionComparison {
+    type: ReleaseType | undefined;
+    oldVersion: string | undefined;
+}
+/**
+ * Compare previously published versions with the package's current version.
+ *
+ * @param currentVersion The current package version.
+ * @param publishedVersions The versions that have already been published.
+ * @param options Configuration options
+ * @returns The release type and previous version.
+ */
+export declare function compareVersions(currentVersion: string, publishedVersions: NpmViewData | undefined, options: NormalizedOptions): VersionComparison;

package/lib/compare-and-publish/compare-versions.js

@@ -0,0 +1,41 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.compareVersions = void 0;
+const diff_js_1 = __importDefault(require("semver/functions/diff.js"));
+const gt_js_1 = __importDefault(require("semver/functions/gt.js"));
+const valid_js_1 = __importDefault(require("semver/functions/valid.js"));
+const options_js_1 = require("../options.js");
+const INITIAL = "initial";
+const DIFFERENT = "different";
+/**
+ * Compare previously published versions with the package's current version.
+ *
+ * @param currentVersion The current package version.
+ * @param publishedVersions The versions that have already been published.
+ * @param options Configuration options
+ * @returns The release type and previous version.
+ */
+function compareVersions(currentVersion, publishedVersions, options) {
+    const { versions, "dist-tags": tags } = publishedVersions ?? {};
+    const { strategy, tag: publishTag } = options;
+    const oldVersion = (0, valid_js_1.default)(tags?.[publishTag.value]) ?? undefined;
+    const isUnique = !versions?.includes(currentVersion);
+    let type;
+    if (isUnique) {
+        if (!oldVersion) {
+            type = INITIAL;
+        }
+        else if ((0, gt_js_1.default)(currentVersion, oldVersion)) {
+            type = (0, diff_js_1.default)(currentVersion, oldVersion) ?? DIFFERENT;
+        }
+        else if (strategy.value === options_js_1.STRATEGY_ALL) {
+            type = DIFFERENT;
+        }
+    }
+    return { type, oldVersion };
+}
+exports.compareVersions = compareVersions;
+//# sourceMappingURL=compare-versions.js.map

package/lib/compare-and-publish/compare-versions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compare-versions.js","sourceRoot":"","sources":["../../src/compare-and-publish/compare-versions.ts"],"names":[],"mappings":";;;;;;AAAA,uEAAwD;AACxD,mEAAuD;AACvD,yEAAoD;AAEpD,8CAA6C;AAU7C,MAAM,OAAO,GAAG,SAAS,CAAC;AAC1B,MAAM,SAAS,GAAG,WAAW,CAAC;AAE9B;;;;;;;GAOG;AACH,SAAgB,eAAe,CAC7B,cAAsB,EACtB,iBAA0C,EAC1C,OAA0B;IAE1B,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,GAAG,iBAAiB,IAAI,EAAE,CAAC;IAChE,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAC9C,MAAM,UAAU,GAAG,IAAA,kBAAW,EAAC,IAAI,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,IAAI,SAAS,CAAC;IACtE,MAAM,QAAQ,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,cAAc,CAAC,CAAC;IACrD,IAAI,IAA6B,CAAC;IAElC,IAAI,QAAQ,EAAE;QACZ,IAAI,CAAC,UAAU,EAAE;YACf,IAAI,GAAG,OAAO,CAAC;SAChB;aAAM,IAAI,IAAA,eAAiB,EAAC,cAAc,EAAE,UAAU,CAAC,EAAE;YACxD,IAAI,GAAG,IAAA,iBAAgB,EAAC,cAAc,EAAE,UAAU,CAAC,IAAI,SAAS,CAAC;SAClE;aAAM,IAAI,QAAQ,CAAC,KAAK,KAAK,yBAAY,EAAE;YAC1C,IAAI,GAAG,SAAS,CAAC;SAClB;KACF;IAED,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC;AAC9B,CAAC;AAtBD,0CAsBC"}

package/lib/compare-and-publish/get-arguments.d.ts

@@ -0,0 +1,21 @@
+import type { NormalizedOptions } from "../normalize-options.js";
+/**
+ * Given a package name and publish configuration, get the NPM CLI view
+ * arguments.
+ *
+ * @param packageName Package name.
+ * @param options Publish configuration.
+ * @param retryWithTag Include a non-latest tag in the package spec for a rety
+ *   attempt.
+ * @returns Arguments to pass to the NPM CLI. If `retryWithTag` is true, but the
+ *   publish config is using the `latest` tag, will return `undefined`.
+ */
+export declare function getViewArguments(packageName: string, options: NormalizedOptions, retryWithTag?: boolean): string[];
+/**
+ * Given a publish configuration, get the NPM CLI publish arguments.
+ *
+ * @param packageSpec Package specification path.
+ * @param options Publish configuration.
+ * @returns Arguments to pass to the NPM CLI.
+ */
+export declare function getPublishArguments(packageSpec: string, options: NormalizedOptions): string[];

package/lib/compare-and-publish/get-arguments.js

@@ -0,0 +1,50 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getPublishArguments = exports.getViewArguments = void 0;
+/**
+ * Given a package name and publish configuration, get the NPM CLI view
+ * arguments.
+ *
+ * @param packageName Package name.
+ * @param options Publish configuration.
+ * @param retryWithTag Include a non-latest tag in the package spec for a rety
+ *   attempt.
+ * @returns Arguments to pass to the NPM CLI. If `retryWithTag` is true, but the
+ *   publish config is using the `latest` tag, will return `undefined`.
+ */
+function getViewArguments(packageName, options, retryWithTag = false) {
+    const packageSpec = retryWithTag
+        ? `${packageName}@${options.tag.value}`
+        : packageName;
+    return [packageSpec, "dist-tags", "versions"];
+}
+exports.getViewArguments = getViewArguments;
+/**
+ * Given a publish configuration, get the NPM CLI publish arguments.
+ *
+ * @param packageSpec Package specification path.
+ * @param options Publish configuration.
+ * @returns Arguments to pass to the NPM CLI.
+ */
+function getPublishArguments(packageSpec, options) {
+    const { tag, access, dryRun, provenance } = options;
+    const publishArguments = [];
+    if (packageSpec.length > 0) {
+        publishArguments.push(packageSpec);
+    }
+    if (!tag.isDefault) {
+        publishArguments.push("--tag", tag.value);
+    }
+    if (!access.isDefault && access.value) {
+        publishArguments.push("--access", access.value);
+    }
+    if (!provenance.isDefault && provenance.value) {
+        publishArguments.push("--provenance");
+    }
+    if (!dryRun.isDefault && dryRun.value) {
+        publishArguments.push("--dry-run");
+    }
+    return publishArguments;
+}
+exports.getPublishArguments = getPublishArguments;
+//# sourceMappingURL=get-arguments.js.map

package/lib/compare-and-publish/get-arguments.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"get-arguments.js","sourceRoot":"","sources":["../../src/compare-and-publish/get-arguments.ts"],"names":[],"mappings":";;;AAEA;;;;;;;;;;GAUG;AACH,SAAgB,gBAAgB,CAC9B,WAAmB,EACnB,OAA0B,EAC1B,YAAY,GAAG,KAAK;IAEpB,MAAM,WAAW,GAAG,YAAY;QAC9B,CAAC,CAAC,GAAG,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE;QACvC,CAAC,CAAC,WAAW,CAAC;IAEhB,OAAO,CAAC,WAAW,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;AAChD,CAAC;AAVD,4CAUC;AAED;;;;;;GAMG;AACH,SAAgB,mBAAmB,CACjC,WAAmB,EACnB,OAA0B;IAE1B,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IACpD,MAAM,gBAAgB,GAAG,EAAE,CAAC;IAE5B,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE;QAC1B,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;KACpC;IAED,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE;QAClB,gBAAgB,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,CAAC;KAC3C;IAED,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,KAAK,EAAE;QACrC,gBAAgB,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;KACjD;IAED,IAAI,CAAC,UAAU,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,EAAE;QAC7C,gBAAgB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;KACvC;IAED,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,KAAK,EAAE;QACrC,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;KACpC;IAED,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AA5BD,kDA4BC"}

package/lib/compare-and-publish/index.d.ts

@@ -0,0 +1 @@
+export * from "./compare-and-publish.js";

package/lib/compare-and-publish/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./compare-and-publish.js"), exports);
+//# sourceMappingURL=index.js.map

package/lib/compare-and-publish/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/compare-and-publish/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2DAAyC"}

package/lib/errors.d.ts

@@ -25,6 +25,9 @@ export declare class InvalidRegistryUrlError extends TypeError {
 export declare class InvalidTokenError extends TypeError {
     constructor();
 }
+export declare class InvalidTagError extends TypeError {
+    constructor(value: unknown);
+}
 export declare class InvalidAccessError extends TypeError {
     constructor(value: unknown);
 }