One‑command publishing for workspaces to *multiple* registries (npm · jsr · private).
Safe by default, CI‑friendly by design, and extensible through plugins.
- Atomic multi‑registry publish – npm & jsr run concurrently; plug‑in more registries with a few lines of code.
- Monorepo aware (Soon) – detects workspaces (pnpm/yarn/npm) and publishes each package in the correct order.
- Smart 2FA handling – OTP prompt when interactive, provenance publish when headless.
- Rigid safety guards – branch & work‑tree checks, remote divergence, registry ping, login & permission validation.
- Preview & rollback – inspect the full task‑graph with
--preview; automatic rollback on failure. - Pluggable pipeline – customise steps via
pubm.config.(c)js.
| Capability | pubm | np |
|---|---|---|
| Multi‑registry (npm and jsr) | ✅ Built‑in | ❌ npm‑only |
| Workspaces / monorepo | ✅ Road‑map & design | ❌ Not supported |
| Interactive‑first, CI‑friendly (prompts auto‑off in CI/non‑TTY) | ✅ Prompts auto‑disabled when stdin ≠ TTY or CI env detected |
|
| Plugin architecture | ✅ Registry & task plugins |
❌ |
| 2FA in CI | ✅ Provenance publish with NODE_AUTH_TOKEN |
❌ Error if 2FA enforced |
| Windows & Bun support | 🕓 Planned | ✅ |
See np for the original local‑only flow.
npm i -g pubm
pubm patch --preview| Flag | Purpose |
|---|---|
-p, --preview |
Dry‑run: show tasks, no side‑effects |
--registry <list> |
Comma‑separated targets, e.g. npm,jsr,https://registry.example.com |
--branch <name> / --any-branch |
Release branch guard control |
--no-pre-check / --no-condition-check |
Skip guard stages |
👉 Full option list: see pubm --help or the CLI reference.
- Prerequisite checks – branch, work‑tree, commits, existing tag.
- Required condition checks – registry ping, login & permission, engine versions.
- Test & build (optional)
- Version bump & tag (SemVer)
- Concurrent publish – npm (OTP/provenance), jsr, plugins.
- Git push & GitHub release draft
The only way to access jsr’s certified environment is through a direct API request with a token.
The jsr token is encrypted and stored using various layers of information. As long as you have control over the local machine where pubm was run, it is highly unlikely the token can be compromised.
If you prefer not to save tokens, you can use the --no-save-token option, which will request the token each time.