Package metadata that resolves cleanly.
Validate names, versions, licenses, repository links, package managers, scoped publish access, and publish-oriented fields.
npm package publishing hygiene
Find broken entrypoints. Catch bad tarballs and failed consumer installs. Check workspaces, release workflows, and editor-ready diagnostics before publish.
Checks
`pkg-guard check` inspects the files and metadata that consumers actually rely on across three modes: fast source-tree analysis, default tarball-aware validation, and optional installed consumer smoke checks.
Validate names, versions, licenses, repository links, package managers, scoped publish access, and publish-oriented fields.
Check `main`, `types`, `exports`, and `bin` targets, including common export patterns, before a consumer finds the broken path.
Use npm pack inspection to detect missing files, junk artifacts, and sensitive files in publish output.
Opt into tarball install checks that verify runtime resolution, bin layout, and TypeScript declarations without executing package code.
Infer CLI, TypeScript library, or generic intent so package-specific findings stay useful and suppressible.
Run across npm and pnpm workspace layouts, skip private packages by default, and target one package by name or path.
Use concise local output, stable finding JSON, SARIF for code scanning, or diagnostics JSON for integration tooling.
Use diagnostics JSON or the experimental analysis API for package and workspace diagnostics with layer, cost, and source range metadata.
Check trusted publishing posture, validation steps, Node and npm versions, and scoped package publish access before release.
Workspaces
Run `pkg-guard check --workspaces` from the repository root to audit publishable workspace packages. Add `--mode smoke` when CI should install each package's tarball in isolation. Private packages are skipped unless explicitly included, and package-local config stays package-local.
API
`pkg-guard check --format diagnostics-json` and `pkg-guard/experimental/analysis` return package and workspace diagnostics for integrations that need findings before CI. Fast mode skips npm pack and smoke work for editor-style loops, while default and smoke modes match release validation needs.
Workflow
Keep `pkg-guard` close to the release path: run `--mode fast` locally for quick source diagnostics, then run default or smoke mode in CI after the package build and before `npm publish`.
Install
npm install -D pkg-guard
npx pkg-guard check --workspaces
npx pkg-guard check --workspaces --format diagnostics-json --mode fast
npx pkg-guard fix --dry-run
npx pkg-guard init --dry-run
npx pkg-guard init-release