Publishing

scpm implements the npm registry publish flow for package tarballs, dist-tags, deprecations, and unpublishing.

Pack

scpm pack
scpm pack --dry-run
scpm pack --json
scpm pack --pack-destination dist

pack applies npm-style file selection: files field first, otherwise standard ignore rules, with package.json, README, LICENSE, and the main entry always included.

Publish

scpm publish
scpm publish --tag next
scpm publish --access public
scpm publish --dry-run --json

Workspace fanout uses the global workspace selectors:

scpm -r publish
scpm -F '@acme/*' publish

Provenance

scpm publish --provenance

Provenance requires an OIDC-capable CI environment such as GitHub Actions with id-token: write. scpm signs a SLSA in-toto statement via Sigstore and attaches the bundle to the publish body.

Dist-tags

scpm dist-tag add react@18.2.0 stable
scpm dist-tag ls react
scpm dist-tag rm react stable

Deprecate and unpublish

scpm deprecate pkg@'<2' "Use pkg 2 or newer"
scpm undeprecate pkg@'<2'
scpm unpublish pkg@1.0.0 --dry-run
scpm unpublish pkg --force

Whole-package unpublish requires --force.