I am not sure weather it is possible or not.
Is it possible to prevent publish when npm publish ran directly and make it accessible only via scripts.
User must be denied when npm publish is executed directly. i.e. User mush be able to publish via any scripts or npm run <script>
is there a way to tell npm only to publish <folder>/ or to look for a tarball when published.
If I mark it private I won't be able to publish at all. My main intention was to prevent accidental publishes.
NPM team gave a simple workaround which is awsome.
package.json
{
"prepublishOnly": "node prepublish.js",
"release": "RELEASE_MODE=true npm publish"
}
prepublish.js
const RELEASE_MODE = !!(process.env.RELEASE_MODE)
if (!RELEASE_MODE) {
console.log('Run `npm run release` to publish the package')
process.exit(1) //which terminates the publish process
}