npm-access

List packages for a user or scope

$ npm access list packages [user|scope|scope:team] [package_name]

$ npm access list collaborators [package_name] [username]

$ npm access get status [package_name]

$ npm access set status [public|private] [package_name]

$ npm access grant [read-only|read-write] [scope:team] [package_name]

$ npm access revoke [scope:team] [package_name]

$ npm access set mfa [none|publish|automation] [package_name]

npm access <subcommand> [options]

Subcommands:
npm access public <package-name>
npm access restricted <package-name>
npm access grant <read|write> <scope:team|user> <package-name>
npm access revoke <read|write> <scope:team|user> <package-name>
npm access ls-packages [<user>|<scope:team>]
npm access ls-collaborators <package-name> [<user>]

public <package-name>
    Makes a package publicly visible and installable by anyone. This is often the default for new packages unless configured otherwise.

restricted <package-name>
    Restricts access to a package, making it private. Only users or teams explicitly granted access can view or install it. This is commonly used for private modules in organizations.

grant <read|write> <scope:team|user> <package-name>
    Grants either read or write access to a specific user or an npm team for a given package. Read access allows viewing and installing; write access allows publishing and modifying the package.

revoke <read|write> <scope:team|user> <package-name>
    Revokes previously granted read or write access from a user or npm team for a package.

ls-packages [<user>|<scope:team>]
    Lists all packages that a specified user or team has access to. If no user or team is specified, it lists packages the current logged-in user has access to.

ls-collaborators <package-name> [<user>]
    Lists all collaborators (users and teams) on a specific package, along with their respective access levels (read or write). Optionally, if a user is specified, it shows only their access level to that package.

--json
    Outputs the command results in JSON format, which is useful for programmatic consumption and scripting.

--otp <one-time-password>
    Provides a one-time password for commands that require two-factor authentication (2FA).

--registry <url>
    Specifies an alternative npm registry URL to use for the command, overriding the default configured registry.

The npm access command is a powerful tool within the npm ecosystem for controlling the visibility and permissions of packages published to the npm registry. It enables package maintainers to define who can read, publish, or modify their packages.

Through various subcommands, npm access allows you to:
public or restrict a package's general visibility.
grant or revoke specific read or write access to individual users or npm teams.
list packages that a user or team has access to, or list collaborators on a specific package.

This granularity is crucial for managing both public open-source projects and private organizational modules, ensuring secure collaboration and proper distribution control.

You must be logged into the npm registry (e.g., using npm adduser or npm login) to use npm access commands that modify permissions.

To modify a package's access, you must be a maintainer (owner) of that package or part of an npm team with write access to it.

Using the grant or revoke commands with teams (e.g., <scope:team>) requires the team to be part of an npm organization.

Packages set to restricted are considered private and may incur associated costs or limitations based on your npm plan.

npm access distinguishes between two primary access levels: read and write.
Read access permits users or teams to view package metadata and install the package. This is the minimum required to consume a private package.
Write access grants the ability to publish new versions, modify package metadata, and manage collaborators (including using npm access to change permissions). Only users or teams with write access can maintain a package.

npm access leverages npm's organization and team features for managing access at scale. An npm organization can contain multiple teams, and users can be members of multiple teams. By granting or revoking access to a team (e.g., `@myorg:developers`), all members of that team automatically inherit or lose the specified access to the package. This simplifies permission management for large projects and companies.

The npm access command was introduced to provide more granular and flexible control over package permissions, building upon the capabilities of the older npm owner command. Its development coincided with the growth of npm organizations and the increasing need for private modules and collaborative team management within npm. It solidified the ability to manage read and write access for both individual users and structured npm teams, making it a cornerstone for enterprise and team-based npm workflows.

npm(1), npm-login(1), npm-adduser(1), npm-owner(1), npm-team(1), npm-whoami(1)