Verify latest release
pnpm version
v11
Which area(s) of pnpm are affected? (leave empty if unsure)
CLI
Link to the code that reproduces this issue or a replay of the bug
No response
Reproduction steps
- Create a package with this
package.json:
{
"name": "@scope/private-package",
"version": "1.0.0",
"publishConfig": {
"access": "restricted"
}
}
- Run publish without passing
--access:
- In a monorepo, run recursive/bulk publishing where package-level publish metadata is expected to control each package's access level.
Describe the Bug
pnpm publish supports --access <public|restricted> and the equivalent npm config key access, but it does not appear to honor publishConfig.access from package.json.
This is a problem for monorepos that publish multiple packages in bulk and need package-specific access configuration from package metadata. Passing --access=restricted applies globally to the command and is not equivalent to honoring each package's own publishConfig.access.
The JS implementation currently passes options.access to libnpmpublish, but does not derive it from manifest.publishConfig.access.
Relevant code:
// releasing/commands/src/publish/publishPackedPkg.ts
const {
access,
...
} = options
const publishOptions: PublishOptions = {
access,
defaultTag,
...
}
The actual publish call delegates to libnpmpublish:
// releasing/commands/src/publish/otp.ts
operation: otp => publish(manifest, tarballData, { ...publishOptions, otp }),
// releasing/commands/src/publish/utils/shared-context.ts
import { publish as _publish, type PublishOptions } from 'libnpmpublish'
By contrast, pnpm explicitly consumes other publishConfig keys, such as registry:
// releasing/commands/src/publish/publishPackedPkg.ts
const publishConfigRegistry = typeof manifest.publishConfig?.registry === 'string'
? manifest.publishConfig.registry
: undefined
and directory:
// releasing/commands/src/publish/pack.ts
const dir = entryManifest.publishConfig?.directory
? path.join(opts.dir, entryManifest.publishConfig.directory)
: opts.dir
Expected Behavior
For a package manifest containing:
{
"name": "@scope/private-package",
"version": "1.0.0",
"publishConfig": {
"access": "restricted"
}
}
running:
should publish with restricted access, equivalent to:
pnpm publish --access=restricted
For recursive publishing, each package's publishConfig.access should be honored independently.
Which Node.js version are you using?
24.14.1
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
No response
Verify latest release
pnpm version
v11
Which area(s) of pnpm are affected? (leave empty if unsure)
CLI
Link to the code that reproduces this issue or a replay of the bug
No response
Reproduction steps
package.json:{ "name": "@scope/private-package", "version": "1.0.0", "publishConfig": { "access": "restricted" } }--access:Describe the Bug
pnpm publishsupports--access <public|restricted>and the equivalent npm config keyaccess, but it does not appear to honorpublishConfig.accessfrompackage.json.This is a problem for monorepos that publish multiple packages in bulk and need package-specific access configuration from package metadata. Passing
--access=restrictedapplies globally to the command and is not equivalent to honoring each package's ownpublishConfig.access.The JS implementation currently passes
options.accesstolibnpmpublish, but does not derive it frommanifest.publishConfig.access.Relevant code:
The actual publish call delegates to
libnpmpublish:By contrast, pnpm explicitly consumes other
publishConfigkeys, such asregistry:and
directory:Expected Behavior
For a package manifest containing:
{ "name": "@scope/private-package", "version": "1.0.0", "publishConfig": { "access": "restricted" } }running:
should publish with restricted access, equivalent to:
For recursive publishing, each package's
publishConfig.accessshould be honored independently.Which Node.js version are you using?
24.14.1
Which operating systems have you used?
If your OS is a Linux based, which one it is? (Include the version if relevant)
No response