Private (scoped) packages published as public

[mothershipper]

Hi there,

First off, thank you for all the work, this tool is great and has saved me a bunch of time. However, I've now published several (new) private packages as public inadvertently, and it was driving me crazy.

I ran a few test cases below and found that in most cases release-it behaves as you would expect, except for the minimum config (case 2). Scoped packages are by published publicly by default, as opposed to npm's behavior which leaves them private. This is even more confusing as the documentation suggests that scoped packages will remain private unless declared public -- from the docs below:

A scoped package (e.g. @user/package) is either public or private. To publish scoped packages, make sure this is in package.json:

{
  "publishConfig": {
    "access": "public"
  }
}

By default, npm publish will publish a scoped package as private (requires paid account).

This behavior was introduced by this commit, which suggests this may have been intentional -- however, if a package is marked private then release-it won't publish it to NPM in the first place.

I'm proposing that the behavior should be the following:

1. If access is set, use access to determine public vs private
2. If not set, default to the behavior of NPM as this is least surprising.

I've opened a PR here: #630

---

Testing

Using this as my example package.json:

{
  "name": "@mothership/test-scoped",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "release": "release-it"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "release-it": "^13.3.1"
  }
}

Case 1 - NPM Publish

From the CLI

$ npm publish

Case 2 - Bare Release-it Config

My .release-it.json:

{
  "git": {
    "push": false,
    "tagName": "v${version}",
    "requireCleanWorkingDir": false
  },
  "github": {
    "release": false 
  },
  "npm": {
    "publish": true,
  }
}

From the CLI

yarn release --no-git

Case 3 - Release-it Config (access: restricted)

My .release-it.json:

{
  "git": {
    "push": false,
    "tagName": "v${version}",
    "requireCleanWorkingDir": false
  },
  "github": {
    "release": false 
  },
  "npm": {
    "publish": true,
    "access": "restricted"
  }
}

From the CLI

yarn release --no-git

Case 4 - Package.json publishConfig

My package.json:

{
  "name": "@mothership/test-scoped",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "publishConfig": {
    "access": "restricted"
  },
  "scripts": {
    "release": "release-it"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "release-it": "^13.3.1"
  }
}

My .release-it.json:

{
  "git": {
    "push": false,
    "tagName": "v${version}",
    "requireCleanWorkingDir": false
  },
  "github": {
    "release": false 
  },
  "npm": {
    "publish": true
  }
}

From the CLI

yarn release --no-git

[webpro]

Thanks @mothershipper! I have simply deprecated the npm.access option, as (not) setting this in package.json is recommended in any case. Just released in v13.3.2. In the next major release I'll remove the option/implementation altogether.