What / Why

We discovered this when one of our company's internal packages did some refactoring and moved the entry point elsewhere in the repository without remembering to update the main in the package.json. The end result was that npm pack happily created and allowed a package that had no chance of working properly to be published.

When

When npm pack and therefore when npm publish are run

Where

• [email protected]

How

Current Behavior

npm pack does not validate that the main exists in the tarball which makes it somewhat easy to create and publish packages that cannot be used by consumers.

Steps to Reproduce

• Create an empty directory
• npm init and step through creating everything with default values. You'll get a package.json like this

{
  "name": "npm-repro",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC"
}

• Run npm pack in this directory, and observe that the tarball is happily created

npm notice
npm notice 📦  [email protected]
npm notice === Tarball Contents ===
npm notice 205B package.json
npm notice === Tarball Details ===
npm notice name:          npm-repro
npm notice version:       1.0.0
npm notice filename:      npm-repro-1.0.0.tgz
npm notice package size:  241 B
npm notice unpacked size: 205 B
npm notice shasum:        ca39bc17447e27ef2fd0dea656e0e6b473f310d7
npm notice integrity:     sha512-p8tZD8W438r7t[...]7Oo0YMcAoNPzQ==
npm notice total files:   1
npm notice
npm-repro-1.0.0.tgz

There is no index.js, so if this package ever attempted to be used, it would not work.

Expected Behavior

• npm pack would exit with a non-zero exit code, which would also cause npm publish to fail and prevent packages whose tarballs do not contain the main from the package.json from being published to a registry.

Who

Our company ran into this when trying to publish to our internal registry.

References

• n/a