libnpmaccess

libnpmaccess is a Node.js library that provides programmatic access to the guts of the npm CLI's npm access command. This includes managing account mfa settings, listing packages and permissions, looking at package collaborators, and defining package permissions for users, orgs, and teams.

Example

const access = require('libnpmaccess')
const opts = { '//registry.npmjs.org/:_authToken: 'npm_token }

// List all packages @zkat has access to on the npm registry.
console.log(Object.keys(await access.getPackages('zkat', opts)))

API

opts for all libnpmaccess commands

libnpmaccess uses npm-registry-fetch.

All options are passed through directly to that library, so please refer to its own opts documentation for options that can be passed in.

spec parameter for all libnpmaccess commands

spec must be an npm-package-arg-compatible registry spec.

access.getCollaborators(spec, opts) -> Promise<Object>

Gets collaborators for a given package

access.getPackages(user|scope|team, opts) -> Promise<Object>

Gets all packages for a given user, scope, or team.

Teams should be in the format scope:team or @scope:team

Users and scopes can be in the format @scope or scope

access.getVisibility(spec, opts) -> Promise<Object>

Gets the visibility of a given package

access.removePermissions(team, spec, opts) -> Promise<Boolean>

Removes the access for a given team to a package.

Teams should be in the format scope:team or @scope:team

access.setAccess(package, access, opts) -> Promise<Boolean>

Sets access level for package described by spec.

The npm registry accepts the following access levels:

• public: package is public
• private: package is private

The npm registry also only allows scoped packages to have their access level set.

access.setMfa(spec, level, opts) -> Promise<Boolean>`

Sets the publishing mfa requirements for a given package. Level must be one of the following:

• none: mfa is not required to publish this package.
• publish: mfa is required to publish this package, automation tokens cannot be used to publish.
• automation: mfa is required to publish this package, automation tokens may also be used for publishing from continuous integration workflows.

access.setPermissions(team, spec, permssions, opts) -> Promise<Boolean>`

Sets permissions levels for a given team to a package.

Teams should be in the format scope:team or @scope:team

The npm registry accepts the following permissions:

• read-only: Read only permissions
• read-write: Read and write (aka publish) permissions

Changelog

11.4.1 (2025-05-21)

Documentation

• 3ed764a #8308 Clarify script working directory behavior (fixes #8305) (#8308) (@tarekwfa0110, @owlstronaut)

  Chores

• 2f30251 #8314 remove references to skimdb.npmjs.com (#8314) (@shmam)
• 9cb9d50 #8298 add contributor to changelog entry (#8298) (@wraithgar)

Dependencies

• workspace: @npmcli/arborist@9.1.1
• workspace: libnpmdiff@8.0.4
• workspace: libnpmexec@10.1.3
• workspace: libnpmfund@7.0.4
• workspace: libnpmpack@9.0.4

11.4.0 (2025-05-15)

Features

• a0e60fb #8246 added init-private option (@owlstronaut)
• 57aa89f #8265 use run by default and run-script as the alias (#8265) (@owlstronaut)
• 0d4c023 #8234 install: add package info to json output (#8234) (@wraithgar)

  Bug Fixes

• 8794fd9 #8297 powershell: support pipeline input with Invoke-Expression (#8297) (@alexsch01)
• b5173d1 #8293 docs: corrected github_path (#8293) (@xaos7991)
• 2210d7a #8278 powershell: use Invoke-Expression to pass args (#8278) (@alexsch01, @mbtools)
• 8669d09 #8228 add otplease for enable-2fa, disable-2fa, access (#8228) (@reggi, @wraithgar)
• 78b5a6f #8269 correctly handle scenario where prefix is the cwd (#8269) (@owlstronaut, @ficocelliguy)
• fdc3413 #8221 exec: Fails to Execute Binaries Named After Shell Keywords (#8221) (@13sfaith)
• 4b08e2e #8245 docs: prepare script runs for local package links (@milaninfy)
• 1622ac4 #8241 handle missing time in packument to prevent crash on npm view (@owlstronaut)
• db8f5da #8110 outdated: add dependent location in long output (#8110) (@milaninfy, @wraithgar)

  Documentation

• d2498df #8295 Remove CHANGELOG from never-ignored list (#8295) (@mrazauskas)
• 4d5c3c1 #8283 fix overrides example in package-json.md (#8283) (@glasser)
• 96cc4f9 #8226 format publish as code to highlight it (@LiangYingC)
• 4990ea0 #8226 clarify legacy token creation in npm login and adduser commands (@LiangYingC)

  Dependencies

• c97ef8a #8246 init-package-json@8.2.1
• f48613d #8292 @sigstore/verify@2.1.1
• a4c5e74 #8292 tinyglobby@0.2.13
• b9156d2 #8292 http-cache-semantics@4.2.0
• 472a685 #8292 binary-extensions@3.1.0
• 988696e #8292 @sigstore/tuf@3.1.1
• 569ac84 #8292 semver@7.7.2
• 2521c9b #8233 @sigstore/protobuf-specs@0.4.1
• 3274d68 #8233 @npmcli/query@4.0.1
• c263626 #8233 abbrev@3.0.1
• 78df711 #8233 hosted-git-info@8.1.0

  Chores

• e80e38e #8292 dev dependency updates (@wraithgar)
• 3231ee9 #8244 update snapshots (@owlstronaut)
• c561a33 #8233 dev dependency updates (@owlstronaut)
• 7eca19c #8215 update workflow permissions for updating Node PR (@owlstronaut)
• workspace: @npmcli/arborist@9.1.0
• workspace: @npmcli/config@10.3.0
• workspace: libnpmaccess@10.0.1
• workspace: libnpmdiff@8.0.3
• workspace: libnpmexec@10.1.2
• workspace: libnpmfund@7.0.3
• workspace: libnpmpack@9.0.3
• workspace: libnpmteam@8.0.1
• workspace: libnpmversion@8.0.1

11.3.0 (2025-04-08)

Features

• b306d25 #8129 add node-gyp as actual config (@wraithgar)

  Bug Fixes

• 2f5392a #8135 make npm run autocomplete work with workspaces (#8135) (@terrainvidia)

  Documentation

• 26b6454 fix grammer in local path note (@cgay)
• 1c0e83d #7886 fix typo in package-json.md (#7886) (@stoneLeaf)
• 14efa57 #8178 fix example package name in overrides explainer (#8178) (@G-Rath)
• 4183cba #8162 logging: replace proceeding with preceding in loglevels details (#8162) (@tyleralbee)

  Dependencies

• e57f112 #8207 minipass-fetch@4.0.1
• 3daabb1 #8207 minizlib@3.0.2
• c7a7527 #8207 ci-info@4.2.0
• 20b09b6 #8207 node-gyp@11.2.0
• 679bc4a #8129 @npmcli/run-script@9.1.0

  Chores

• 3fbed84 #8207 install rimraf as a devdependency for smoke tests (@owlstronaut)
• 43f0b41 #8207 dev dependency updates (@wraithgar)
• 26803bc #8147 release integration node 23 yml (#8147) (@reggi)
• d679a1a #8146 release integration node 23 (#8146) (@reggi)
• workspace: @npmcli/arborist@9.0.2
• workspace: @npmcli/config@10.2.0
• workspace: libnpmdiff@8.0.2
• workspace: libnpmexec@10.1.1
• workspace: libnpmfund@7.0.2
• workspace: libnpmpack@9.0.2

11.2.0 (2025-03-05)

Features

• 247ee1d #8100 cache: add npx commands (@wraithgar)
• 3a80a7b #8081 add --init-type flag (#8081) (@reggi)
• 2a1e11f #8071 move nerfDart list into @npmcli/config (@wraithgar)

  Bug Fixes

• 8461186 #8100 update npx cache if possible when spec is a range (@wraithgar)
• e345cc5 #8050 don't suggest npm update outside of valid engine range (#8050) (@milaninfy)
• 811ca29 #8115 stop working around bug fixed in npm-package-arg@12.0.2 (@TrevorBurnham)
• 879303c #8078 warn on invalid publishConfig (#8078) (@wraithgar)
• 41417de #8080 warn when TUF fetching of keys fails (#8080) (@wraithgar)
• 593c849 #8076 warn on invalid single-hyphen cli flags (#8076) (@wraithgar)

  Dependencies

• 3d8b257 #8100 @npmcli/package-json@6.1.1
• ab17523 #8134 supports-color@10.0.0
• 3cbe21a #8134 foreground-child@3.3.1
• ee5e1aa #8118 @npmcli/redact@3.1.1
• 5df69b4 #8118 exponential-backoff@3.1.2
• 80c3273 #8118 read@4.1.0
• 7fd70fa #8118 node-gyp@11.1.0
• 7aeffff #8118 cidr-regex@4.1.3
• b0c0490 #8118 is-cidr@5.1.1
• ef49d6b #8118 sigstore@3.1.0
• 1399bfb #8118 socks@2.8.4
• 6b72107 #8118 semver@7.7.1
• c9ad0c4 #8118 @npmcli/git@6.0.3
• b153927 #8115 npm-package-arg@12.0.2
• f0f6265 #8071 nopt@8.1.0

  Chores

• cc72b89 #8143 fix smoke tests to account for new release versions within a workspace (#8143) (@reggi)
• c3810bc #8134 dev dependency updates (@wraithgar)
• 9dc40e6 #8118 dev dependency updates (@wraithgar)
• 7ec0831 #8118 update jsonpath-plus (@wraithgar)
• ed85b01 #8071 tests for config warnings/changes (@wraithgar)
• workspace: @npmcli/arborist@9.0.1
• workspace: @npmcli/config@10.1.0
• workspace: libnpmdiff@8.0.1
• workspace: libnpmexec@10.1.0
• workspace: libnpmfund@7.0.1
• workspace: libnpmpack@9.0.1

11.1.0 (2025-01-29)

Features

• 7f6c997 #8009 add dry-run to deprecate/undeprecate commands (@wraithgar)
• 1764a37 #8009 add npm undeprecate command (@wraithgar)

  Bug Fixes

• 31455b2 #8054 publish: honor force for no dist tag and registry version check (#8054) (@reggi)
• dc31c1b #8038 remove max-len linting bypasses (@wraithgar)
• 8a911ff #8038 publish: disregard deprecated versions when calculating highest version (@wraithgar)
• 7f72944 #8038 publish: accept publishConfig.tag to override highes semver check (@wraithgar)
• ab9ddc0 #7992 sbom: deduplicate sbom dependencies (#7992) (@bdehamer)
• f7da341 #7980 search: properly display multiple search terms (#7980) (@wraithgar)

  Documentation

• 3644e79 #8055 update readme for Node.js versions, remove badges (#8055) (@wraithgar)
• f1af61f #8041 fix typos in "package-json" (#8041) (@maxkoryukov)
• e90c6fe #8051 depth flag default value (#8051) (@milaninfy)
• 866b5ee #8030 safer documentation urls, repos, packages (#8030) (@reggi)

  Dependencies

• 7ddfbad #8053 @npmcli/package-json@6.1.1
• 9473a86 #8053 spdx-license-ids@3.0.21
• a65e5ce #8053 @sigstore/protobuf-specs@0.3.3
• 215ebe4 #8053 chalk@5.4.1

  Chores

• 61f00e3 #8069 splits out smoke-tests from publish-dryrun tests (#8069) (@reggi)
• 6d0f46e #8058 stop publish smoke from check git clean (#8058) (@reggi)
• 9281ebf #8057 fix smoke tests prerelease needs separate string args (#8057) (@reggi)
• aa202e9 #8056 smoke tests using a preid (#8056) (@reggi)
• 18e0449 #8053 dev dependency updates (@wraithgar)
• 859a71c #8052 update node versions for release integration tests (#8052) (@wraithgar)
• 7e7961d #8038 bump @npmcli/eslint-config to 5.1.0 (@wraithgar)
• workspace: @npmcli/config@10.0.1

11.0.0 (2024-12-16)

Documentation

• 8a911da #7963 ls: removed design change pending section note (#7963) (@milaninfy)

  Dependencies

• 5319e48 #7973 remove unnecessary sprintf-js files in node_modules (#7973)
• d369c77 #7976 socks-proxy-agent@8.0.5
• 3b2951a #7976 https-proxy-agent@7.0.6
• a598b7b #7976 agent-base@7.1.3
• 52bcaf6 #7976 debug@4.4.0
• aabf345 #7976 p-map@7.0.3
• 28e8761 #7976 npm-package-arg@12.0.1

  Chores

• ecd7190 #7976 dev dependency updates (@wraithgar)
• a07f4e0 #7976 @npmcli/template-oss@4.23.6 (@wraithgar)
• 687ab12 #7970 remove pre-release mode from npm 11 and workspaces (#7970) (@wraithgar)
• workspace: @npmcli/arborist@9.0.0
• workspace: @npmcli/config@10.0.0
• workspace: libnpmaccess@10.0.0
• workspace: libnpmdiff@8.0.0
• workspace: libnpmexec@10.0.0
• workspace: libnpmfund@7.0.0
• workspace: libnpmorg@8.0.0
• workspace: libnpmpack@9.0.0
• workspace: libnpmpublish@11.0.0
• workspace: libnpmsearch@9.0.0
• workspace: libnpmteam@8.0.0
• workspace: libnpmversion@8.0.0

11.0.0-pre.1 (2024-12-06)

⚠️ BREAKING CHANGES

• Upon publishing, in order to apply a default "latest" dist tag, the command now retrieves all prior versions of the package. It will require that the version you're trying to publish is above the latest semver version in the registry, not including pre-release tags.
• npm init now has a type prompt, and sorts the entries the created packages differently
• bun.lockb files are now included in the strict ignore list during packing

  Features

• f3ac7b7 #7939 no implicit latest tag on publish when latest > version (#7939) (@reggi, @ljharb)

  Bug Fixes

• e362c6d #7944 prefix: remove duplicate -g from usage output (#7944) (@wraithgar)

  Documentation

• 2af31dd #7947 change certfile to cafile (#7947) (@wraithgar)
• 1be8e95 #7945 update ignore rules (@wraithgar)

  Dependencies

• bc9b14d #7955 @npmcli/run-script@9.0.2
• fecfcf4 #7955 node-gyp@11.0.0
• 8905037 #7955 p-map@7.0.2
• ac8eb39 #7955 diff@7.0.0
• c0bcc2a #7955 walk-up-path@4.0.0
• d463a6f #7955 init-package-json@8.0.0
• b87ba24 #7945 @npmcli/package-json@6.1.0
• 4bf1901 #7945 @npmcli/metavuln-calculator@9.0.0
• ca84b22 #7945 pacote@21.0.0
• 4906f3d #7945 npm-packlist@10.0.0

  Chores

• cfdf214 #7943 fork changelog (#7943) (@wraithgar)
• workspace: @npmcli/arborist@9.0.0-pre.1
• workspace: @npmcli/config@10.0.0-pre.1
• workspace: libnpmdiff@8.0.0-pre.1
• workspace: libnpmexec@10.0.0-pre.1
• workspace: libnpmfund@7.0.0-pre.1
• workspace: libnpmorg@8.0.0-pre.1
• workspace: libnpmpack@9.0.0-pre.1

11.0.0-pre.0 (2024-11-26)

⚠️ BREAKING CHANGES

• When publishing a package with a pre-release version, you must explicitly specify a tag.
• --ignore-scripts now applies to all lifecycle scripts, include prepare
• npm will no longer fall back to the old audit endpoint if the bulk advisory request fails.
• npm will no longer switch to global mode if aliased to "npmg" or "npm-g" etc.
• The npm hook command has been removed
• Attestations made by this package will no longer validate in npm versions prior to 10.6.0
• npm now supports node ^20.17.0 || >=22.9.0
• @npmcli/docs now supports node ^20.17.0 || >=22.9.0

  Features

• 6995303 #7850 adds --ignore-scripts flag to pack (@reggi)

  Bug Fixes

• 16b7367 #7910 publishing prerelease requires explicit tag (#7910) (@reggi)
• e19bff0 #7901 perf: enable compile cache if present (#7901) (@H4ad)
• 080a0f2 #7911 remove old audit fallback request (@wraithgar)
• 780afc5 #7855 pkg: display if any of multiple attributes exist (#7855) (@Sanderovich)
• ecd2d23 #7842 don't go into global mode if aliased to npmg (#7842) (@wraithgar)
• 62c71e5 #7835 removes npm hook command (@reggi)
• 7f541e8 #7815 make pack and exec work with git hash refs (#7815) (@milaninfy)
• 3162620 #7831 sets node engine range to ^20.17.0 || >=22.9.0 (@reggi)
• 4c8ba0a #7831 for @npmcli/docs sets node engine range to ^20.17.0 || >=22.9.0 (@reggi)
• 70cd88d #7808 view: sort and truncate dist-tags (#7808) (@wraithgar)
• 534ad77 #7795 remove unused parameters catch statements (#7795) (@btea)

  Documentation

• feb54f7 #7822 package.json: add libc field (#7822) (@wraithgar)

  Dependencies

• 78293ad #7937 spdx-license-ids@3.0.20
• 33cf580 #7937 promise-call-limit@3.0.2
• ef1c368 #7937 package-json-from-dist@1.0.1
• 92e6f07 #7937 npm-registry-fetch@18.0.2
• e32284a #7937 npm-install-checks@7.1.1
• 5dffd11 #7937 negotiator@0.6.4
• 69d9f01 #7937 make-fetch-happen@14.0.3
• 884bbde #7937 hosted-git-info@8.0.2
• 3c74ec0 #7937 debug@4.3.7
• f00359f #7937 cross-spawn@7.0.6
• 534bbe8 #7937 ci-info@4.1.0
• 8cbf1a7 #7937 @npmcli/promise-spawn@8.0.2
• 1bd39e7 #7937 @npmcli/map-workspaces@4.0.2
• eb6498d #7937 ansi-regex@6.1.0
• 66fc8c9 #7850 @npmcli/metavuln-calculator@8.0.1
• 7dbef6f #7850 pacote@20.0.0
• 75a3f12 #7859 remove unused deps (#7859)
• f36dc59 #7833 pacote@19.0.1
• 7ee15bb #7833 bump sigstore from 2.x to 3.0.0 (@bdehamer)

  Chores

• 2d530a5 #7941 tests: account for when npm is a prerelease (#7941) (@wraithgar)
• 2c1b369 #7937 dev dependency updates (@wraithgar)
• 6edfe2f #7937 @npmcli/template-oss@4.23.5 (@wraithgar)
• 475285b #7920 clean up dependency graph repos (#7920) (@hashtagchris)
• ec57f5f #7911 fix dependencies script for circular workspace deps (@wraithgar)
• ccd8420 #7911 fix cli tests for audit fallback removal (@wraithgar)
• 720b4d8 #7833 bump @npmcli/arborist to 8.0.0 (@wraithgar)
• 286739c #7824 add creation of a DEPENDENCIES.json file (#7824) (@reggi)
• 852dd8b #7831 sets npm 11 to prerelase (@reggi)
• 95d009e #7831 update engine ^20.17.0 || >=22.9.0 in actions (@reggi)
• 5a74478 #7831 update engines ^20.17.0 || >=22.9.0 in package template (@reggi)
• workspace: @npmcli/arborist@9.0.0-pre.0
• workspace: @npmcli/config@10.0.0-pre.0
• workspace: libnpmaccess@10.0.0-pre.0
• workspace: libnpmdiff@8.0.0-pre.0
• workspace: libnpmexec@10.0.0-pre.0
• workspace: libnpmfund@7.0.0-pre.0
• workspace: libnpmorg@8.0.0-pre.0
• workspace: libnpmpack@9.0.0-pre.0
• workspace: libnpmpublish@11.0.0-pre.0
• workspace: libnpmsearch@9.0.0-pre.0
• workspace: libnpmteam@8.0.0-pre.0
• workspace: libnpmversion@8.0.0-pre.0