分阶段发布在包在 npm 注册表上线之前增加了一个审批步骤。你可以通过 npm stage publish 将包提交到一个过渡区,而不是直接使用 npm publish 发布。然后维护者必须审查并明确批准该过渡包——通过 CLI 或 npmjs.com 的双因素身份验证 (2FA) ——然后它才会公开可用。
🌐 Staged publishing adds an approval step before packages go live on the npm registry. Instead of publishing directly with npm publish, you can submit packages to a staging area with npm stage publish. A maintainer must then review and explicitly approve the staged package — with two-factor authentication (2FA) via the CLI or npmjs.com — before it becomes publicly available.
分阶段发布在你希望在软件包版本在注册表上可用之前增加一个额外审核步骤时非常有用。
🌐 Staged publishing is useful when you want an extra review step before a package version becomes available on the registry.
注意: 分阶段发布需要 npm CLI 版本 11.15.0 或更高,以及 Node 版本 22.14.0 或更高。
🌐 How staged publishing works
分阶段发布有三个步骤:
🌐 Staged publishing has three steps:
🌐 Prerequisites
在使用分阶段发布之前,请确保以下事项:
🌐 Before using staged publishing, ensure the following:
🌐 Stage a package
在命令行上,导航到包的根目录。
cd /path/to/package
要暂存你的软件包,请运行:
npm stage publish
这会将你的包提交到暂存区。
注意: npm stage publish 不需要双重身份验证。
🌐 Review a staged package
在你发布一个包之后,你可以在命令行或在 npmjs.com 上检查它。
🌐 After you stage a package, you can inspect it in the CLI or on npmjs.com.
🌐 Using the CLI
要列出你有权限访问的暂存软件包:
🌐 To list staged packages you have access to:
npm stage list [<package-spec>]
要查看特定暂存包的详细信息:
🌐 To view details for a specific staged package:
npm stage view <stage-id>
要下载用于检查的分阶段软件包压缩包:
🌐 To download the staged package tarball for inspection:
npm stage download <stage-id>
🌐 Using npmjs.com
打开 已暂存的软件包 选项卡,以查看已暂存的软件包并找到你想批准的软件包。
🌐 Open the Staged Packages tab to review staged packages and find the package you want to approve.
🌐 Approve a staged package
要将已暂存的包发布到注册表,请使用两步验证批准它。
🌐 To publish a staged package to the registry, approve it with 2FA.
🌐 Using the CLI
要批准分阶段的软件包并将其发布到实时注册表:
🌐 To approve a staged package and publish it to the live registry:
npm stage approve <stage-id>
🌐 Using npmjs.com
在 npmjs.com 上,在 已暂存的软件包 选项卡中查看暂存的软件包,然后点击 批准。
🌐 On npmjs.com, review the staged package in the Staged Packages tab, then click Approve.
注意: 无论你是在 CLI 中还是在 npmjs.com 上批准包,都将提示你进行双重验证(2FA)验证。
🌐 Using staged publishing with trusted publishers
如果你从 CI/CD 使用 受信任的发布 (OIDC),你可以使用分阶段发布在软件包上线之前提交其审核。维护者仍然必须使用双重身份验证 (2FA) 审核并批准分阶段软件包。
🌐 If you use trusted publishing (OIDC) from CI/CD, you can use staged publishing to submit a package for review before it goes live. A maintainer must still review and approve the staged package with 2FA.
有关配置受信任发布者权限的更多信息,请参阅“npm 包的受信任发布”。
🌐 For more information on configuring trusted publisher permissions, see "Trusted publishing for npm packages."
🌐 Learn more