Tracks the manual npm-publish step for the v1.0.0 cut. The wrapper
itself shipped in #34 (nodeup-npm/ in repo, scripts/check.js +
scripts/install.js, pinned-version design). The npm package name
is nodeupx (not nodeup); see #37.
Pre-publish checklist
Publish flow
cd nodeup-npm
npm pack --dry-run # expect 5 files: LICENSE, README.md, package.json, scripts/{check,install}.js
npm login # prompts for username + password + email; then for OTP from your authenticator app
npm publish # prompts for another OTP from your authenticator
Full details are in docs/release-checklist.md under "Publishing
nodeup-npm to the npm registry".
After the first publish
Linked
Tracks the manual npm-publish step for the v1.0.0 cut. The wrapper
itself shipped in #34 (nodeup-npm/ in repo, scripts/check.js +
scripts/install.js, pinned-version design). The npm package name
is
nodeupx(notnodeup); see #37.Pre-publish checklist
npmjs.comaccount exists with publish rights on thenodeupxpackage name. The barenodeupname is ownedby an unrelated dormant 2015 package (
romanmt/nodeup,"a simple cluster implementation for node"), so we cannot
claim it —
npm publishfails withYou do not have permission to publish "nodeup"if youtry the wrong name.
and email-only modes are not accepted for publish). Configure
at https://www.npmjs.com/settings//security.
GoReleaser (linux/darwin/windows × amd64/arm64, minus
windows/arm64 which is intentionally excluded). The wrapper's
install.jsdownloads fromhttps://github.com/dipto0321/nodeup/releases/download/v1.0.0/...,so this has to land first.
nodeup-npm/package.json'sbinaryVersionfield is set to1.0.0(already true onmainas of chore(release): ship npm wrapper and install-method guidance #34).Publish flow
Full details are in
docs/release-checklist.mdunder "Publishingnodeup-npm to the npm registry".
After the first publish
Confirm
npm view nodeupxshows version1.0.0on theregistry.
Smoke test:
npm install -g nodeupxin a fresh shell,then
nodeup version. Should print the v1.0.0 build infoand download a ~6 MB static binary.
Consider automating future publishes. npmjs.com permanently
revoked classic tokens on December 9, 2025; there's no
"Automation" token type anymore. The right options are:
1. OIDC Trusted Publishing (recommended) — the
publish-npmjob in.github/workflows/release.ymlalready exchanges GitHub's OIDC token for a one-hour
publish token scoped to
nodeupx. The trust entryon the npmjs.com side must point at
release.ymlindipto0321/nodeup. NoNPM_TOKENsecret, no rotation, no leak surface.
2. Granular access token — created at
<https://www.npmjs.com/settings//tokens>, 90-day
max expiry, package-scoped to
nodeupx, optionalbypass_2fafor unattended CI. Stored asgh secret set NPM_TOKENand consumed in release.yml.Linked
itself shipped in chore(release): ship npm wrapper and install-method guidance #34).
nodeup→nodeupxdocumented inchore(release): rename npm wrapper to nodeup-cli #37 (the wrapper still installs the binary as
nodeupon$PATH).Note
2026-07-04 updates:
nodeup-cli→nodeupx(PR chore(release): rename npm package from nodeup-cli to nodeupx #108).nodeup-cli@1.0.0was unpublished and the name sat in the 24h unpublish hold, so the wrapper moved tonodeupx(verified unclaimed on the registry). Version/binaryVersionare at1.0.1per chore(release): bump nodeup-cli to 1.0.1 with binaryVersion sync and repo URL fix #107.release.yml'spublish-npmjob is already wired (PR ci(release): add --provenance to npm publish; pin actions to commit SHAs #100); the only remaining registry-side step is registering the trust entry (GitHub Actions /dipto0321/nodeup/release.yml) on https://www.npmjs.com/package/nodeupx/access right after the first manual publish. Flow documented indocs/release-checklist.md(PR docs(release): make OIDC trusted publishing the documented npm flow #109).