Release script prompts for NPM 2FA code #12908
Conversation
| @@ -19,10 +19,17 @@ const push = async ({cwd, dry, packages, version, tag}) => { | |||
| throw new Error('The tag `latest` can only be used for stable versions.'); | |||
| } | |||
|
|
|||
| // Pass two factor auth code if provided: | |||
| // https://docs.npmjs.com/getting-started/using-two-factor-authentication | |||
| const twoFactorAuth = opt != null ? `--opt ${opt}` : ''; | |||
There was a problem hiding this comment.
Gah! I read it, multiple times, as "opt" 😦 but you're right.
bvaughn
changed the title
I think this is okay for now. It's already the case if you e.g. don't have access to a package and it fails midway through. So let's follow up if we want to clean up this in general. |
|
I don't expect it to be a large problem in practice. In practice, tokens are good for a minute or two in order to support clock drift. |
|
Is that an approval? 😄 |
|
No, I didn't look at the code. |
|
Would you...? |
|
Thanks! |
I haven't really tested this, but in theory, it prompts you for a 2FA code prior to publishing. If you provide a code, it passes it via the
--optflag tonpm publishwhich is how the docs specify you should pass it.Publishing is quick, and hopefully all of the packages can be published with the same token. But it's possible that it will expire in the middle, which would not be ideal. In that case, you would need to re-run the publish command with modifications to skip the already published packages.
I'm opening this PR for discussion purposes. I'll give it a little more thought before marking it ready for review.