Basically the thing is I’m working on a project that uses
grunt for build tasks and as I have a few dependencies here and there I thought it was a good idea to declare those on a
package.json so that my co-workers can
npm install without being required to manually install every package at the correct version.
Now the thing is, what if someone “accidentally” runs
npm publish? Is there a way to have the
package.json while keeping my stuff private?
If you set
"private": truein your package.json, then npm will refuse to publish it.
This is a way to prevent accidental publication of private repositories. If you would like to ensure that a given package is only ever published to a specific registry (for example, an internal registry), then use the publishConfig hash described below to override the registry config param at publish-time.