[seniorsassycat]

Adding 'private: true' to the package.json prevents publishing to _any_ registry, including a corporate proxy. Adding a string or regex option for private that would only publish to matching registries may prevent issues like this.

I ask for regex only because our corp proxy binds to a random port reach time it runs so a static string wouldn't be flexible enough.

[ljm]

Why isn’t this a source URL?

Took a while for Ruby to get it but for the last 5 years you have default config for self-hosted sources whenever you make a new gem.

Of course, npm is unique in being privately funded. It doesn’t want you doing that.

Benefit of the doubt says that they thought they were publishing privately.

Going back to Ruby, you will fail a bunch of CI steps just by leaving defaults in place.

[krainboltgreene]

Hey, contributor to rubygems here, there's no source url for ruby gems specification. You can read more here: https://guides.rubygems.org/specification-reference/

You're likely thinking of bundler's source, but even then that doesn't apply to publishing a gem.

[bigiain]

> Benefit of the doubt says that they thought they were publishing privately.

In what world is pushing your source code to a venture backed (therefore viral growth oriented) company who promote themselves with "npm Inc supports the JavaScript community by providing the registry where developers publish and share packaged open-source modules" possibly consistent with a view that "they thought they were publishing privately"???

Sorry, but I just don't buy that.

Somebody at the bank fucked up. It cannot possibly be npm Inc's responsibility to detect and somehow police that.