[BUG] npm pack completes successfully even if main is not present in the package

[millerick]

What / Why

We discovered this when one of our company's internal packages did some refactoring and moved the entry point elsewhere in the repository without remembering to update the main in the package.json. The end result was that npm pack happily created and allowed a package that had no chance of working properly to be published.

When

When npm pack and therefore when npm publish are run

Where

• [email protected]

How

Current Behavior

npm pack does not validate that the main exists in the tarball which makes it somewhat easy to create and publish packages that cannot be used by consumers.

Steps to Reproduce

• Create an empty directory
• npm init and step through creating everything with default values. You'll get a package.json like this

{
  "name": "npm-repro",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC"
}

• Run npm pack in this directory, and observe that the tarball is happily created

npm notice
npm notice 📦  [email protected]
npm notice === Tarball Contents ===
npm notice 205B package.json
npm notice === Tarball Details ===
npm notice name:          npm-repro
npm notice version:       1.0.0
npm notice filename:      npm-repro-1.0.0.tgz
npm notice package size:  241 B
npm notice unpacked size: 205 B
npm notice shasum:        ca39bc17447e27ef2fd0dea656e0e6b473f310d7
npm notice integrity:     sha512-p8tZD8W438r7t[...]7Oo0YMcAoNPzQ==
npm notice total files:   1
npm notice
npm-repro-1.0.0.tgz

There is no index.js, so if this package ever attempted to be used, it would not work.

Expected Behavior

• npm pack would exit with a non-zero exit code, which would also cause npm publish to fail and prevent packages whose tarballs do not contain the main from the package.json from being published to a registry.

Who

Our company ran into this when trying to publish to our internal registry.

References

• n/a

[millerick]

I'm not sure if this is better suited as a bug for npm-packlist. I'm not fully sure how the npm organization wants to keep separation of concerns between the two. I.e. should npm-packlist just blindly return a list of files that should attempt to be included without doing any validation and leave that higher order validation to take place in any packages that want to consume the functionality of npm-packlist?

[ljharb]

This isn't npm-packlist's job, it's npm publish's job if anything.

[millerick]

That sounds reasonable. For whatever reason my company has taken to using npm pack to as a test to see whether or not publishes will complete successfully. npm publish --dry-run is probably a better check.

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is reproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.