Npm-prune and npm-publish cli commands

JavaScript is a hugely popular language with numerous packages, there are times that you project contain packages that are extraneous. There are other times when you want to send your own package to the registry, npm is aware of both needs that is why they provided the npm-prune and npm-publish commands. This tutorial we guide you on how to use these commands. Enjoy!


As we said in the intro, there are times you want to remove extraneous packages, the npm prune command helps you perform that task.


npm prune [[<@scope>/]<pkg>...] [--production] [--dry-run] [--json]


This command will remove "extraneous" packages. If you provide a package name, then only packages that matches one of the supplied names are removed.

An extraneous package is a package that is not listed on the parent package's dependencies list.

The NODE_ENV environment variable is set to production when the -production flag is specified. In this case the npm prune command will remove packages that are specified in your devDependencies. Setting -no-production negates NODE_ENV being set to production.

No change will be made if you use the --dry-run flag.

The changes made by npm prune will be printed as a JSON object if you use the -json flag.

Usually, when you enable package.locks, extraneous modules will be pruned automatically when you install modules, thus you will only to run the command with the -production flag.

If you disabled package.locks, extraneous modules will not be removed and it is up to you to run npm prune regularly to remove them.


This command is used to publish a package.


npm publish [<tarball>|<folder>] [--tag <tag>] [--access <public|restricted>] [--otp otpcode]
Publishes '.' if no argument supplied
Sets tag 'latest' if no --tag specified


This command publishes a package to the registry so that it can be installed by name. All the files in the package directory are included if no local .gitignore or .npmignore file exists. In the case where both files exist and a file is ignored by the .gitignore but not by the .npmignore then it is included.

By default, npm publishes to the public registry. You can override this by specifying a different default registry or by using a npm-scope in the name.

  • <folder>: A folder that has a package.json file
  • <tarball>: A url or file path to a gzipped tar archive that contains a single folder with a package.json file inside.
  • [--tag <tag>] This command registers the published package with the given tag, such that npm install <name>@<tag> installs this version. By default, npm publish will update and npm install will install the latest tag.
  • [--access <public|restricted>] will tell the registry whether this package should be published as public or restricted. This only applies to scoped packages, which defaults to restricted. If you do not have a paid account, you have to publish with --access public to publish scoped packages.
  • [-otp <otpcode>] in the case where you have two-factor authentication enabled in auth-and-writes mode then you can provide a code from your authenticator with it. If you do not include this and you are running from a TTY then you will be prompted.

This command will fail if the package name and version combination already exists in the specified registry.

Once you publish a package with a given name and version, that specific name and version combination is no longer available for use, even if it has been removed with npm-unpublish.

As of [email protected], both a sha1sum and an integrity field with a sha512sum of the tarball are submitted to the registry during publication. Subsequent installs use the strongest supported algorithm to verify downloads.

Previous: Npm-pack, npm-ping and npm-prefix cli commands
Next: Npm rebuild, repo, restart, root and run-script commands