Here are the basic guidelines to publishing packages for Google-owned code to npm:
As a first step, please review the OSPO guidelines on creating and releasing code publicly (go/releasing).
Figure out a good name and namespace (scope) for your module. npm modules can be published in the global namespace (e.g. eventid) or they can be published under the a Google namespace (e.g. @google/maps, or @google-cloud/vision). We recommend publishing under the
Published modules should be owned by one of the Google organizations. This helps ensure that we retain admin control over the project in case you lose access to the module. Note that on npm, organizations and scopes (also called namespaces) are distinct concepts. You can publish a globally scoped module that is part of the @google npm organization.
To publish a new npm package for code hosted on GitHub, you can use our self-serve publishing tool hosted at http://linkremoved/
- The tool uses your GitHub account to authenticate and validate that you have push access to the repo and then grants you a publishing token.
- A bot manages the actual publishing to npm for you. It eliminates the need for you to manage npm accounts and teams, and deal with their security and 2FA configuration.
If the self-serve publishing tool is not suitable for your use-case; send an email to emailremoved@ with the following information:
- The name of the package you want to publish and under which scope (global, @google, @google-cloud).
- A 'team name' for the team of Googlers who will be managing the module
(i.e. will have publish rights). There are two options to setup the
- Everyone who needs to manage the package already has an npm account. Please send us the list of the npm accounts to add to the team.
- Use a shared team account. Please create a new account on npm with an appropriate team name and save credentials in Google's password storage system.
- Links to github repo (if any) and Ariane launch.
- We will create a team for you and you will be able to publish/manage the module yourself.
Activate two-factor authentication (2FA) for auth and writes on your npm account. npm supports 2FA, although the standard-issue Google security keys are currently not supported and you must use apps like Google Authenticator. Given the well-known security considerations with npm, we strongly recommend 2FA for all Googlers who publish Google source code to npm.
When enabling 2FA, make sure to save the recovery codes for your account. We do not have the ability to recover your npm account if you get locked out.
For npm modules that are managed by a team, we recommend everyone on a team needing to publish modules to have their own npm account. Presently npm doesn’t provide an elegant way to support 2FA codes for a shared team account.
Do not create new namespaces or organizations for Google projects. If you think you need a new namespace or org, please contact emailremoved@ first.
Feel free to contact emailremoved@ if you have any questions!