npm-publish

npm publish [package-spec] [options]

npm publish packs the current project (or a given folder/tarball) and uploads it to the configured registry, making the new version installable by others.Files included in the tarball follow the rules in `.npmignore`, the `files` field of `package.json`, and the standard npm defaults. The `name` and `version` fields must together be unique on the registry; republishing an already-published version is not allowed.For scoped packages (`@scope/name`), npm treats the package as private by default; pass `--access public` on first publish to make it publicly available.

package-spec

Path to a folder or tarball to publish. Defaults to the current directory.

Register the published version under the given dist-tag instead of `latest`.

Set initial access for a scoped package. Required as `public` for new scoped packages or when using `--provenance`.

Report what would be published without uploading anything.

Supply a one-time password from a 2FA authenticator.

Generate and attach a supply-chain provenance statement (npm >= 9.5.0, supported CI only).

Attach a pre-generated provenance bundle instead of creating one.

Publish a specific workspace package.

Publish every configured workspace.

Also include the workspace root when `--workspaces` is used.

Display help information.

Publishing requires an authenticated npm account (`npm login` or a token via `NPM_TOKEN`). Versions cannot be overwritten; use `npm version` to bump before republishing. Unpublishing is heavily restricted after 72 hours — plan releases carefully. `--provenance` only works from supported CI environments with the right `repository` field set in `package.json`.

npm publish has been the primary mechanism for sharing JavaScript packages since npm's early releases. Supply-chain provenance via Sigstore was added in npm 9.5.0 (2023), and trusted publishing (OIDC-based, tokenless) was introduced for npm in subsequent releases.

npm(1), npm-version(1), npm-unpublish(1)