Return boolean private status in registry response


(Rhys Arkins) #1

I would like that the npm registry includes "private": true in a successful query response or some other way of indicating the private status of the queried package. When I am logged in with token X, there doesn’t seem to be a way to determine if a scoped package is public or private without attempting to query it a second time without a token.

(Rebecca Turner) #2

As package.json already has a field called private which means “not published to any registry” (and disables npm publish), I would suggest that this be called something else, say access where a value other than 'public' means that it’s private? That would allow us to initially just set it to 'private' and later possibly include more.

As an implementation note, I don’t believe this will be needed in corgis.

(Rhys Arkins) #3

@iarna yes you are very right about not polluting the meaning of private, even if using that field were possible. I think any field that’s unambiguous and documented would be fine, including access.

As I mentioned elsewhere, the main - but not exclusive - reason I need this is for caching purposes, i.e. I want to have simple logic to know when I can cache scoped but public packages and not cache private packages. Although setting a “correct” HTTP header indicating cache yes/no would also be useful for clients in general, I feel that there should also be the access field in the response body too, because it’s important at an application level too, not just client/cache.

Is the best next step for me to write an RFC?