@yawlabs/npmjs-mcp 0.11.14 → 0.12.0

package/README.md

@@ -9,7 +9,7 @@
 
 Built and maintained by [Yaw Labs](https://yaw.sh).
 
-[![Add to Yaw MCP](https://yaw.sh/yaw-mcp-button.svg)](yaw://install?name=npm&command=npx&args=-y%2C%40yawlabs%2Fnpmjs-mcp&description=npm%20registry%20-%20package%20intel%2C%20security%2C%20dependency%20analysis%2C%20write%20ops&source=https%3A%2F%2Fgithub.com%2FYawLabs%2Fnpmjs-mcp)
+[![Add to Yaw MCP](https://yaw.sh/yaw-mcp-button.svg)](https://yaw.sh/mcp/install?name=npm&command=npx&args=-y%2C%40yawlabs%2Fnpmjs-mcp&description=npm%20registry%20-%20package%20intel%2C%20security%2C%20dependency%20analysis%2C%20write%20ops&source=https%3A%2F%2Fgithub.com%2FYawLabs%2Fnpmjs-mcp)
 
 One click adds this to your local Yaw MCP config so it's available in every Yaw Terminal session. Or install manually below.
 

package/dist/index.js

@@ -31347,12 +31347,23 @@ function translateError(res, context) {
         ...res,
         error: `Rate limited${opPart}. Retried automatically and still failed \u2014 wait longer and retry, or contact npm support if this persists. Raw: ${res.error}`
       };
+    case 409:
+      return {
+        ...res,
+        error: `Version conflict${pkgPart}${opPart}. The package metadata changed between read and write (a concurrent publish, deprecate, or registry _rev bump). Re-run the operation \u2014 it re-fetches the current _rev each call. Raw: ${res.error}`
+      };
     case 0:
       return {
         ...res,
         error: `Network error${opPart}. Could not reach the registry. Raw: ${res.error}`
       };
     default:
+      if (res.status >= 500) {
+        return {
+          ...res,
+          error: `Registry server error${pkgPart}${opPart} (HTTP ${res.status}). Retried automatically and still failed \u2014 the registry is likely having a transient outage. Wait and retry; check https://status.npmjs.org if it persists. Raw: ${res.error}`
+        };
+      }
       return res;
   }
 }
@@ -31383,7 +31394,7 @@ var accessTools = [
       if (authErr) return authErr;
       const res = await registryGetAuth(`/-/package/${encPkg(input.name)}/collaborators`);
       if (!res.ok) return translateError(res, { pkg: input.name, op: "collaborators" });
-      const collaborators = Object.entries(res.data).map(([username, permissions]) => ({
+      const collaborators = Object.entries(res.data ?? {}).map(([username, permissions]) => ({
         username,
         permissions
       }));
@@ -31431,7 +31442,7 @@ var accessTools = [
         result.access = accessRes.data;
       }
       if (collabRes.ok) {
-        result.collaborators = Object.entries(collabRes.data).map(([username, permissions]) => ({
+        result.collaborators = Object.entries(collabRes.data ?? {}).map(([username, permissions]) => ({
           username,
           permissions
         }));
@@ -31499,7 +31510,10 @@ var analysisTools = [
           latest,
           license: pkg.license ?? latestVersion?.license,
           maintainers: pkg.maintainers?.map((m) => m.name),
-          weeklyDownloads: dlRes.ok ? dlRes.data.downloads : null,
+          // Guard on data presence, not just .ok: a 2xx with an empty body yields
+          // ok:true with no data (api.ts), and dlRes.data!.downloads would throw
+          // and crash the whole compare. Degrade to null instead.
+          weeklyDownloads: dlRes.ok && dlRes.data ? dlRes.data.downloads : null,
           versionCount: versionKeys.length,
           created: pkg.time.created,
           lastPublish: latest ? pkg.time[latest] : void 0,
@@ -31578,8 +31592,10 @@ var analysisTools = [
           name: pkg.name,
           latest,
           signals: {
-            weeklyDownloads: dlWeekRes.ok ? dlWeekRes.data.downloads : null,
-            monthlyDownloads: dlMonthRes.ok ? dlMonthRes.data.downloads : null,
+            // Guard on data presence, not just .ok: an empty-body 2xx yields
+            // ok:true with no data (api.ts); degrade to null rather than throw.
+            weeklyDownloads: dlWeekRes.ok && dlWeekRes.data ? dlWeekRes.data.downloads : null,
+            monthlyDownloads: dlMonthRes.ok && dlMonthRes.data ? dlMonthRes.data.downloads : null,
             maintainerCount: pkg.maintainers?.length ?? 0,
             versionCount: versionKeys.length,
             daysSinceLastPublish,
@@ -31813,12 +31829,20 @@ var authTools = [
           error: `Token failed /-/whoami check. Token is invalid, expired, or revoked. Create a new one at https://www.npmjs.com/settings/~/tokens. Raw: ${whoami.error}`
         };
       }
-      const tfaData = profile.ok ? profile.data?.tfa : null;
-      const tfa = tfaData ? {
-        enabled: !tfaData.pending,
-        mode: tfaData.mode,
-        ...tfaData.pending ? { pending: true } : {}
-      } : { enabled: false };
+      let tfa;
+      if (!profile.ok) {
+        tfa = {
+          unknown: true,
+          warning: `2FA status unknown: profile lookup failed (HTTP ${profile.status}). Token is valid (whoami passed) but write-readiness could not be fully assessed. Raw: ${profile.error}`
+        };
+      } else {
+        const tfaData = profile.data?.tfa;
+        tfa = tfaData ? {
+          enabled: !tfaData.pending,
+          mode: tfaData.mode,
+          ...tfaData.pending ? { pending: true } : {}
+        } : { enabled: false };
+      }
       return {
         ok: true,
         status: 200,
@@ -32753,7 +32777,7 @@ var provenanceTools = [
         `/-/npm/v1/attestations/${encPkg(input.name)}@${encodeURIComponent(input.version)}`
       );
       if (!res.ok) return translateError(res, { pkg: input.name, op: `provenance ${input.version}` });
-      const attestations = (res.data.attestations ?? []).map((a) => ({
+      const attestations = (res.data?.attestations ?? []).map((a) => ({
         predicateType: a.predicateType,
         bundle: a.bundle
       }));
@@ -32814,7 +32838,7 @@ var registryTools = [
         replicateGet(`/_changes?limit=${limit}&descending=true`)
       ]);
       if (!changesRes.ok) return translateError(changesRes, { op: "recent_changes" });
-      const changes = changesRes.data.results.map((r) => ({
+      const changes = (changesRes.data?.results ?? []).map((r) => ({
         package: r.id,
         rev: r.changes[0]?.rev
       }));
@@ -32822,7 +32846,13 @@ var registryTools = [
         ok: true,
         status: 200,
         data: {
-          totalPackages: dbRes.ok ? dbRes.data.doc_count : null,
+          // `totalPackages` is the registry doc-count from replicate.npmjs.com
+          // (the entire npm registry, ~3M) -- NOT the count of returned
+          // changes. `changes.length` is the per-call result size. The field
+          // name reads as if it were a per-call count; this comment pins the
+          // semantic so a consumer reading "totalPackages: 50" doesn't assume
+          // only 50 packages exist on the registry.
+          totalPackages: dbRes.data?.doc_count ?? null,
           changes
         }
       };
@@ -32921,6 +32951,13 @@ var searchTools = [
       maintenance: external_exports.number().min(0).max(1).optional().describe("Weight for maintenance score (0-1)")
     }),
     handler: async (input) => {
+      if (input.query.trim() === "") {
+        return {
+          ok: false,
+          status: 400,
+          error: "Query cannot be empty. Provide a search term or qualifier (e.g. 'mcp', 'keywords:react')."
+        };
+      }
       const params = new URLSearchParams({ text: input.query });
       if (input.size !== void 0) params.set("size", String(input.size));
       if (input.from !== void 0) params.set("from", String(input.from));
@@ -32929,7 +32966,8 @@ var searchTools = [
       if (input.maintenance !== void 0) params.set("maintenance", String(input.maintenance));
       const res = await registryGet(`/-/v1/search?${params}`);
       if (!res.ok) return translateError(res, { op: `search "${input.query}"` });
-      const results = res.data.objects.map((obj) => ({
+      const objects = res.data?.objects ?? [];
+      const results = objects.map((obj) => ({
         name: obj.package.name,
         version: obj.package.version,
         description: obj.package.description,
@@ -32940,7 +32978,7 @@ var searchTools = [
         links: obj.package.links,
         score: obj.score.detail
       }));
-      return { ok: true, status: 200, data: { total: res.data.total, results } };
+      return { ok: true, status: 200, data: { total: res.data?.total ?? objects.length, results } };
     }
   }
 ];
@@ -34081,7 +34119,7 @@ var writeTools = [
   // ───────────────────────────────────────────────────────
   {
     name: "npm_team_delete",
-    description: "Delete a team. Team is passed as '@scope:team'. Revokes all package permissions that team held. Requires confirm: true \u2014 this removes the team and all its package grants in one call.",
+    description: "Delete a team. Team is passed as '@scope:team'. Revokes all package permissions that team held, and team memberships are also removed. Requires confirm: true \u2014 this removes the team and all its package grants in one call. List the team's current grants with npm_team_packages first if you need to preserve them.",
     annotations: {
       title: "Delete team",
       readOnlyHint: false,
@@ -34293,7 +34331,7 @@ var writeTools = [
 ];
 
 // src/index.ts
-var version2 = true ? "0.11.14" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "0.12.0" : (await null).createRequire(import.meta.url)("../package.json").version;
 var subcommand = process.argv[2];
 if (subcommand === "version" || subcommand === "--version" || subcommand === "-v" || subcommand === "-V") {
   console.log(version2);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/npmjs-mcp",
-  "version": "0.11.14",
+  "version": "0.12.0",
   "mcpName": "io.github.YawLabs/npmjs-mcp",
   "description": "npm registry MCP server — package intelligence, security audits, and dependency analysis for AI assistants",
   "license": "MIT",