laurigates/bun-publish
typescript-plugin/skills/bun-publish/SKILL.md
Bun publish to npm. Use when the user wants to release to npm, preview with --dry-run, publish a scoped package with --access public, or enable --provenance signing.
$ install --global
skillsauthnpx skillsauth add laurigates/claude-plugins bun-publishInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 21, 2026, 7:49 AM171.3s1 file scanned
SKILL.md
- description:
- Bun publish to npm. Use when the user wants to release to npm, preview with --dry-run, publish a scoped package with --access public, or enable --provenance signing.
- args:
- [--dry-run] [--access <level>] [--provenance]
- allowed-tools:
- Bash, Read
- argument-hint:
- [--dry-run] [--access public]
- disable-model-invocation:
- true
- created:
- 2025-12-21
- modified:
- 2026-05-09
- reviewed:
- 2026-04-25
- name:
- bun-publish
/bun:publish
Publish package to npm registry after building with Bun.
When to Use This Skill
| Use this skill when... | Use bun-publishing instead when... |
|---|---|
| Executing a single npm publish action with the right flags | Looking up broader npm publishing workflow guidance and conventions |
| Previewing a publish with --dry-run before releasing | Configuring publishConfig, scoped-package access, or provenance setup |
| Releasing a scoped package with --access public | Use bun-build when you need to produce build artifacts before publishing |
| Enabling supply-chain --provenance signing on a release | Use bun-lockfile-update when bumping dependencies before a release |
Parameters
--dry-run: Preview publish without executing--access: Access level (publicorrestricted)--provenance: Enable supply chain provenance signing
Context
Detect package configuration:
cat package.json | jq '{name, version, publishConfig, bin, files, scripts: {prepublishOnly: .scripts.prepublishOnly}}'
Execution
Pre-publish Validation
# Type check
bun run tsc --noEmit 2>&1 | head -20
# Build
bun run build
# Verify tarball contents
npm pack --dry-run
Publish
Dry run (default for first attempt):
npm publish --dry-run {{ "--access " + ACCESS if ACCESS }}
Actual publish:
# Standard package
npm publish {{ "--access " + ACCESS if ACCESS }} {{ "--provenance" if PROVENANCE }}
# Scoped package (auto-detect from name starting with @)
npm publish --access public {{ "--provenance" if PROVENANCE }}
Scoped Package Detection
If package.json name starts with @:
- Automatically add
--access publicunless explicitly restricted - Warn if
publishConfig.accessis not set in package.json
Post-publish
- Display published version:
npm view <package> version - Show installation command:
npm install <package> - Link to npm package page
Error Handling
402 Payment Required:
- Scoped packages require
--access publicfor public registry - Add
publishConfig.access: "public"to package.json
Missing authentication:
- Run
npm loginto authenticate - Or set
NPM_TOKENenvironment variable
Related Skills
laurigates/workflow-verify-before-filing
testing
VerifiedTrustedCommunity
Verify accumulated bug claims at upstream HEAD and dedup against trackers before filing issues. Use when filing upstream reports from backlogs, audit docs, or git-history findings.
38SKILL.mdUpdated Jun 12, 2026
laurigates/cold-read-gate
documentation
VerifiedTrustedCommunity
Gate outward-bound text (upstream issues, docs, PR bodies) through isolated haiku fresh-reader critique before publishing. Use when an artifact must survive a reader with zero project context.
38SKILL.mdUpdated Jun 12, 2026
laurigates/evaluate-improve
tools
VerifiedTrustedCommunity
Suggest improvements to SKILL.md content, descriptions, or tool config from eval results. Use when raising pass rates, fixing triggering, or iterating on a skill after evaluation.
38SKILL.mdUpdated Apr 16, 2026
laurigates/deadbranch
tools
VerifiedTrustedCommunity
deadbranch CLI for stale-branch cleanup — dry-run preview, TUI or non-interactive delete, protects main/develop/WIP. Use when asked to clean up branches, prune branches, or remove stale branches.
37SKILL.mdUpdated Jun 11, 2026