gamegold 6.7.3 → 6.7.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +42 -0
- package/lib/gamegold-worker.js +185 -185
- package/lib/gamegold.js +261 -261
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -65,3 +65,45 @@ https://github.com/bookmansoft/gamegoldmanager
|
|
|
65
65
|
API说明文档
|
|
66
66
|
https://github.com/bookmansoft/gamegoldapi
|
|
67
67
|
|
|
68
|
+
## NPM 两阶段验证对 publish 的影响
|
|
69
|
+
|
|
70
|
+
你踩的是"包级 2FA 死锁"
|
|
71
|
+
|
|
72
|
+
npm 现在对所有包(尤其是有一定下载量的旧包)会自动 enroll 进包级 2FA 政策。规则是 :
|
|
73
|
+
|
|
74
|
+
All packages now require two-factor authentication or a granular access token with bypass 2FA enabled for creating and publishing packages.
|
|
75
|
+
|
|
76
|
+
也就是说链路是这样的:
|
|
77
|
+
|
|
78
|
+
你账号层关了 2FA → npm profile get应该显示 "twoFactorAuth": false
|
|
79
|
+
|
|
80
|
+
但 gamegold这个包被 npm 强制开了包级 2FA → 包设置里默认是 "Require 2FA or granular token with bypass 2FA"
|
|
81
|
+
|
|
82
|
+
你本地 .npmrc里的 _authToken是老 token(要么是 classic 要么是没勾 bypass 2FA 的 granular),它既过不了账号 2FA 检查(你关了),也过不了包级 2FA 检查(token 没 bypass)→ 死锁 403
|
|
83
|
+
|
|
84
|
+
所以"关 2FA"这一步反而把你往坑里推了一把——账号关了,包级还在要 2FA,老 token 又没 bypass,三面夹击。
|
|
85
|
+
|
|
86
|
+
(推荐):网页生成 Granular Token,勾 Bypass 2FA
|
|
87
|
+
|
|
88
|
+
这是 npm 现在给的"合法免 OTP"出口,也顺便解决你上一轮问的跨机共享——token 字符串拷过去就能用:
|
|
89
|
+
|
|
90
|
+
去 npmjs.com → 头像 → Access Tokens → Generate New Token
|
|
91
|
+
|
|
92
|
+
选 Granular Access Token
|
|
93
|
+
|
|
94
|
+
权限勾 Read and Write(或只 Publish)
|
|
95
|
+
|
|
96
|
+
关键:勾选 Bypass two-factor authentication for this token ☑️
|
|
97
|
+
|
|
98
|
+
Expiration 最长 90 天(2025/11 之后硬性限制 )
|
|
99
|
+
|
|
100
|
+
生成后复制 npm_……那段,只显示一次
|
|
101
|
+
|
|
102
|
+
本地写进 .npmrc, 或者行命令执行:
|
|
103
|
+
```bash
|
|
104
|
+
npm config set //registry.npmjs.org/:_authToken=你刚拷的npm_开头那串
|
|
105
|
+
npm whoami # 能打出用户名就 OK
|
|
106
|
+
npm publish --access public
|
|
107
|
+
```
|
|
108
|
+
|
|
109
|
+
⚠️ 2026 年 5 月那次 npm 把所有 bypass-2FA 的 write token 一刀切作废过一次,所以这个 token 90 天后必过期,CI 里用的记得日历提醒轮换,别哪天突然 403 懵掉。
|