From publish
Publish npm packages with full troubleshooting for 2FA, token types, registry mirrors, and cross-platform issues. Use when the user asks to publish a package to npm, fix npm publish errors, or set up npm authentication.
How this skill is triggered — by the user, by Claude, or both
Slash command
/publish:npm-publishThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Publish Node.js packages to npm registry with complete error handling and troubleshooting.
Publish Node.js packages to npm registry with complete error handling and troubleshooting.
Before publishing, verify ALL of the following:
package.json exists with required fields:
name — package name (check availability: curl -s https://registry.npmjs.org/<name> | head -5)version — semver versionmain or bin — entry pointfiles — whitelist of files to include (recommended)license — MIT, ISC, etc.description — short descriptionkeywords — for discoverabilityRegistry is official npm (NOT a mirror):
npm config get registry
# MUST be: https://registry.npmjs.org/
Auth token is configured with correct permissions
.npmignore or files field — ensure only necessary files are published
# Check current registry
npm config get registry
# If it shows a mirror (huawei/taobao/cnpm), switch to official:
npm config set registry https://registry.npmjs.org/
# Common mirrors that will FAIL for publishing:
# - https://mirrors.huaweicloud.com/repository/npm/
# - https://registry.npmmirror.com/
# - https://registry.npm.taobao.org/
IMPORTANT: Mirror registries (华为云/淘宝/cnpm) only support READ operations. Publishing MUST go to the official registry.
Go to https://www.npmjs.com/settings//tokens
Token Type Selection Guide:
| Token Type | Can Publish | Needs 2FA Bypass | Use Case |
|---|---|---|---|
| Classic - Automation | ✗ NO | N/A | CI read-only |
| Classic - Publish | ✓ YES | Only if 2FA enabled | Simple publish |
| Granular (recommended) | ✓ YES | Must enable bypass | Fine-grained control |
For accounts with 2FA enabled (most accounts), you MUST:
Create .npmrc in project root:
echo "//registry.npmjs.org/:_authToken=npm_YOUR_TOKEN_HERE" > .npmrc
SECURITY: Add .npmrc to .gitignore and .npmignore:
echo ".npmrc" >> .gitignore
echo ".npmrc" >> .npmignore
npm whoami
# Should output your npm username
If empty or error → token is invalid, regenerate.
npm pack --dry-run
# Shows what files will be included in the package
# Verify no secrets, no unnecessary files
npm publish --access public
For scoped packages (@scope/name):
npm publish --access public
# --access public is REQUIRED for scoped packages (default is restricted)
curl -s https://registry.npmjs.org/<package-name> | head -5
# Or
npm info <package-name>
npm error code E401
npm error 401 Unauthorized - GET https://registry.npmjs.org/-/whoami
Causes & Fixes:
.npmrc content.npmrc → Ensure //registry.npmjs.org/:_authToken=...npm error code E403
npm error 403 Forbidden - PUT https://registry.npmjs.org/<pkg>
Variant 1: "You may not perform that action with these credentials"
Variant 2: "Two-factor authentication or granular access token with bypass 2fa enabled is required"
Variant 3: "Package name too similar to existing packages"
@scope/namenpm error code E404
npm error 404 Not Found - PUT https://registry.npmjs.org/<pkg>
Causes & Fixes:
npm config get registry--access publicnpm error code ENEEDAUTH
npm error need auth This command requires you to be logged in to https://mirrors.xxx.com/
Cause: Registry is set to a mirror that requires auth. Fix: Switch to official registry:
npm config set registry https://registry.npmjs.org/
Some Windows shell environments swallow npm output.
Fix: Call npm via Node directly:
node "/path/to/nodejs/node_modules/npm/bin/npm-cli.js" publish --access public
Common paths:
C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js/d/Program Files/nodejs/node_modules/npm/bin/npm-cli.js (Git Bash)Same shell issue. Use direct invocation:
node "/path/to/nodejs/node_modules/npm/bin/npm-cli.js" install
# Patch: 0.1.0 → 0.1.1 (bug fixes)
npm version patch
# Minor: 0.1.0 → 0.2.0 (new features, backwards compatible)
npm version minor
# Major: 0.1.0 → 1.0.0 (breaking changes)
npm version major
# Then publish
npm publish --access public
# 1. Verify registry
npm config set registry https://registry.npmjs.org/
# 2. Create .npmrc with token
echo "//registry.npmjs.org/:_authToken=npm_xxxxx" > .npmrc
# 3. Verify auth
npm whoami
# → kungeskills
# 4. Check package contents
npm pack --dry-run
# 5. Publish
npm publish --access public
# → + [email protected]
# 6. Verify on registry
curl -s https://registry.npmjs.org/kungeskill | head -5
npm config get registry → https://registry.npmjs.org/npm whoami → shows usernamepackage.json version is bumped.npmrc has valid token (Granular + bypass 2FA).npmrc is in .gitignore (never commit tokens)npm pack --dry-run → no secrets, no junk filesnpm publish --access publicBuilds a throwaway prototype to answer a design question about UI appearance or state/logic behavior. Guides you through two branches: interactive terminal app for logic validation, or multiple UI variations for visual exploration.
npx claudepluginhub kunge2013/skills --plugin publish