Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
When running npm publish with allow-directory=none or allow-directory=root the process fails with the EALLOWDIRECTORY error code.
Seems related to #9392
Expected Behavior
Publishing succeeds regardless of the value of the allow-directory option.
Steps To Reproduce
mkdir allow-directory-demo
cd allow-directory-demo
npm install --global npm@12.0.1
npm init -y
echo '*** allow-directory=none **'
echo 'allow-directory=none' >.npmrc
npm publish --dry-run || true
echo $?
echo '*** allow-directory=root **'
echo 'allow-directory=root' >.npmrc
npm publish --dry-run || true
echo $?
echo '*** allow-directory=all **'
echo 'allow-directory=all' >.npmrc
npm publish --dry-run || true
echo $?
outputs
[...]
*** allow-directory=none **
npm error code EALLOWDIRECTORY
npm error Fetching packages of type "directory" have been disabled
npm error A complete log of this run can be found in: /root/.npm/_logs/2026-07-12T12_42_39_508Z-debug-0.log
0
*** allow-directory=root **
npm error code EALLOWDIRECTORY
npm error Fetching non-root packages of type "directory" have been disabled
npm error A complete log of this run can be found in: /root/.npm/_logs/2026-07-12T12_42_39_742Z-debug-0.log
0
*** allow-directory=all **
npm notice
npm notice package: allow-directory-demo@1.0.0
npm notice Tarball Contents
npm notice 220B package.json
npm notice Tarball Details
npm notice name: allow-directory-demo
npm notice version: 1.0.0
npm notice filename: allow-directory-demo-1.0.0.tgz
npm notice package size: 249 B
npm notice unpacked size: 220 B
npm notice shasum: 4f8bb3faaa44f6520f5a2b849e416c43db1a0547
npm notice integrity: sha512-XnbBxRTR45jVf[...]p3fyZvMd2L7ig==
npm notice total files: 1
npm notice
npm warn publish This command requires you to be logged in to https://registry.npmjs.org/ (dry-run)
npm notice Publishing to https://registry.npmjs.org/ with tag latest and default access (dry-run)
+ allow-directory-demo@1.0.0
0
similarly for npm@11.18.0
Environment
- npm: 12.0.1
- Node.js: v26.4.0
- OS Name: Ubuntu 24.04
- System Model Name: custom
- npm config:
; "project" config from /allow-directory-demo/.npmrc
allow-directory = "root"
; node bin location = /usr/local/bin/node
; node version = v26.4.0
; npm local prefix = /allow-directory-demo
; npm version = 12.0.1
; cwd = /allow-directory-demo
; HOME = /root
; Run `npm config ls -l` to show all defaults.
Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
When running
npm publishwithallow-directory=noneorallow-directory=rootthe process fails with theEALLOWDIRECTORYerror code.Seems related to #9392
Expected Behavior
Publishing succeeds regardless of the value of the
allow-directoryoption.Steps To Reproduce
outputs
similarly for
npm@11.18.0Environment