[RRFC] remove --access public for initial publish of scoped modules #572
Description
Motivation ("The Why")
Currently, to publish a scoped module for the first time you need to include --access public unless the organization you're publishing it to is on a paid plan, in which case it will be published privately. My guess is that the majority of npm users who are publishing are not, in fact, publishing to paid organizations and having that path be the default makes... little sense at this point in time.
Especially with the intersection of npm workspaces providing a good interface for scoped modules from a single source and the recent malicious usage the registry has seen, I think it would be nice to reduce the barrier to entry to publishing into scopes by normalizing the publishing experience across scoped namespace and global namespace packages and dropping --access private as the default for publishing a scoped module.
There's some compounding reasons why I don't feel like this is a particularly big deal:
- if you have an oopsie you can always change to
restrictedlater - the global namespace does not have this concept and it's not a problem there
- the DX of having to do this for some projects but not others is confusing and absolutely not intuitive
- npm probably doesn't care about pushing paid teams as much as it was once... required to
How
Current Behaviour
--access publicis required to publish a scoped module on initial publish
Desired Behaviour
--access publicis not required to publish a scoped module on initial publish