Get the FREE Ultimate OpenClaw Setup Guide →

package-registry

npx machina-cli add skill littlebearapps/pitchdocs/package-registry --openclaw
Files (1)
SKILL.md
11.6 KB

Package Registry Documentation Guidance

When This Applies

These checks are conditional — only run when the project is published to a package registry.

File PresentRegistryAction
package.jsonnpm (npmjs.com)Check npm metadata fields, badge templates
pyproject.tomlPyPI (pypi.org)Check PyPI metadata fields, Markdown compatibility
Bothnpm + PyPICheck both; cross-renderer compatibility is critical

Detection:

[ -f "package.json" ] && echo "npm project detected"
[ -f "pyproject.toml" ] && echo "PyPI project detected"

npm Registry Metadata

The README displayed on npmjs.com comes from the published tarball, not live from GitHub. Changes to your README on GitHub do not update the npm page until you publish a new version.

package.json Fields That Affect the npm Page

FieldAffectsPriorityNotes
namePackage name in header and URLRequiredScoped (@org/name) preferred for organisations
versionVersion display, install commandRequiredMust follow semver
descriptionSearch results, package headerHighFirst ~200 chars shown in search; match README value proposition
keywordsnpm search discoveryHighArray of strings, aim for 5–10 relevant terms
homepage"Homepage" sidebar linkHighDocs site or project page
repository"Repository" sidebar link, GitHub integrationHighMust be { "type": "git", "url": "git+https://github.com/org/repo.git" }
bugs"Issues" sidebar linkMedium{ "url": "https://github.com/org/repo/issues" }
licenseLicence badge in sidebarHighSPDX identifier string (e.g., "MIT", "Apache-2.0")
authorDisplayed on package pageMedium{ "name": "...", "email": "...", "url": "..." }
funding"Fund this package" buttonLowURL string or { "type": "github", "url": "..." }
types / typingsTypeScript indicator (TS badge)High (for TS)Path to .d.ts file; npm won't show TS badge without explicit field
filesWhat gets published in tarballHighWhitelist approach preferred; README/LICENSE/CHANGELOG always included

Critical for trusted publishing: repository.url must exactly match the GitHub repository URL (case-sensitive) for npm OIDC trusted publishing to work.

npm Always-Included Files

Regardless of the files field or .npmignore, npm always includes:

  • package.json
  • README (any case, any extension)
  • LICENSE / LICENCE (any case, any extension)
  • CHANGELOG (any case, any extension)
  • The file referenced by main

Use npm pack to inspect tarball contents before publishing.

PyPI Registry Metadata

pyproject.toml Fields That Affect the PyPI Page

FieldSectionAffectsNotes
name[project]Package name and URLPEP 503 normalisation (hyphens = underscores)
version[project]Version displayOr dynamic via build backend
description[project]Search results summarySingle line, plain text
readme[project]Full description on project page"README.md" or { file = "README.md", content-type = "text/markdown" }
license[project]Licence displayPEP 639: SPDX expression preferred ("MIT", "Apache-2.0 OR MIT")
requires-python[project]Python version badge">=3.10"
keywords[project]Search discoveryArray of strings
classifiers[project]Category browsing on PyPITrove classifiers (still relevant for non-licence metadata)
urls[project.urls]Sidebar links with custom iconsUse well-known labels below

Well-Known PyPI URL Labels

PyPI recognises specific URL labels and displays them with custom icons instead of generic links. Labels are normalised (punctuation/whitespace removed, lowercased).

LabelIconExample URL
HomepageHousehttps://project.com
Repository or SourceCodehttps://github.com/org/repo
Documentation or DocsBookhttps://docs.project.com
Changelog or ChangesListhttps://github.com/org/repo/blob/main/CHANGELOG.md
Issues or Bug TrackerBughttps://github.com/org/repo/issues
Funding or SponsorHearthttps://github.com/sponsors/org
DownloadDownloadhttps://github.com/org/repo/releases

Example:

[project.urls]
Homepage = "https://project.com"
Repository = "https://github.com/org/repo"
Documentation = "https://docs.project.com"
Changelog = "https://github.com/org/repo/blob/main/CHANGELOG.md"
Issues = "https://github.com/org/repo/issues"

PEP 639: SPDX Licence Expressions

The new standard for licence metadata in Python. Replaces trove classifier licence identifiers.

New approach (recommended):

[project]
license = "MIT"              # SPDX expression
license-files = ["LICENSE"]  # Explicit file paths

Old approach (deprecated):

[project]
license = {text = "MIT License"}

SPDX expressions are more precise than trove classifiers (e.g., distinguishes BSD-2-Clause from BSD-3-Clause).

Verified vs Unverified Details

PyPI's sidebar splits project information into two sections:

  • Verified details (green checkmark): URLs verified through Trusted Publisher. GitHub statistics (stars, forks) only shown here.
  • Unverified details: URLs and metadata that cannot be automatically verified.

Configuring a Trusted Publisher automatically verifies the repository URL.

README Cross-Renderer Compatibility

READMEs render on multiple platforms. What works on GitHub may break on npm or PyPI.

Markdown FeatureGitHubnpmPyPIWorkaround
Heading anchors (#section)YesYesNoUse full URLs to GitHub README
Relative images (./docs/img.png)YesNoNoUse absolute raw.githubusercontent.com URLs
GitHub callouts ([!NOTE])YesNoNoUse bold text or blockquotes
<details>/<summary>YesYesUnreliableAvoid for critical content
colspan/rowspan in tablesPartialPartialNoUse simpler table structures
<div align="center">YesYesNoAcceptable loss; PyPI strips most HTML alignment
Mermaid diagramsYesNoNoUse pre-rendered SVG/PNG images
Task lists (- [ ])YesYesNoUse bullet lists with emoji checkmarks
FootnotesYesNoNoUse inline parenthetical notes

Key Rules for Multi-Renderer READMEs

  1. Always use absolute URLs for images — relative paths break on both npm and PyPI
  2. Avoid GitHub-specific callouts ([!NOTE], [!WARNING]) — plain text elsewhere
  3. Avoid heading anchor links if PyPI rendering matters — broken on PyPI
  4. Avoid <details>/<summary> for critical content — unreliable on PyPI
  5. Test before publishing: twine check dist/* validates PyPI README rendering

Solving GitHub vs PyPI Differences

For Python projects needing optimised READMEs on both platforms, consider hatch-fancy-pypi-readme:

  • Assembles PyPI READMEs from fragments
  • Runs regex substitutions to transform GitHub-specific content
  • Converts relative links to absolute links

Trusted Publishing and Provenance

This section covers documentation-relevant aspects. The plugin does NOT create publish workflows (that's DevOps).

npm Trusted Publishing

  • OIDC trusted publishing went GA July 2025 — replaces long-lived tokens entirely
  • Classic tokens permanently revoked December 2025; granular tokens max 90 days
  • Publishing with --provenance flag adds a Sigstore badge on npmjs.com linking to the exact source commit and build workflow
  • Requires id-token: write permission in GitHub Actions
  • repository.url in package.json must exactly match the GitHub repo URL (case-sensitive)

PyPI Trusted Publishing

  • Trusted Publisher since April 2023 — first major registry to support OIDC
  • Digital attestations (PEP 740) since November 2024 — Sigstore signing for package files
  • "Verified details" sidebar badge appears automatically when trusted publisher is configured
  • Repository URL in [project.urls] must match the GitHub repo for verification
  • pypa/gh-action-pypi-publish handles publishing when configured as a trusted publisher

What to Audit (Not Configure)

  • Check if repository.url (npm) or [project.urls].Repository (PyPI) matches the actual GitHub repo URL
  • Flag opportunity to add provenance/attestation badges to README if not present
  • Link to trusted publishing setup docs in audit output

Registry-Specific Badges

npm Badges

[![npm version](https://img.shields.io/npm/v/PACKAGE-NAME)](https://www.npmjs.com/package/PACKAGE-NAME)
[![npm downloads](https://img.shields.io/npm/dm/PACKAGE-NAME)](https://www.npmjs.com/package/PACKAGE-NAME)
[![npm bundle size](https://img.shields.io/bundlephobia/minzip/PACKAGE-NAME)](https://bundlephobia.com/package/PACKAGE-NAME)
[![types](https://img.shields.io/npm/types/PACKAGE-NAME)](https://www.npmjs.com/package/PACKAGE-NAME)

PyPI Badges

[![PyPI version](https://img.shields.io/pypi/v/PACKAGE-NAME)](https://pypi.org/project/PACKAGE-NAME/)
[![Python versions](https://img.shields.io/pypi/pyversions/PACKAGE-NAME)](https://pypi.org/project/PACKAGE-NAME/)
[![PyPI downloads](https://img.shields.io/pypi/dm/PACKAGE-NAME)](https://pypi.org/project/PACKAGE-NAME/)
[![PyPI status](https://img.shields.io/pypi/status/PACKAGE-NAME)](https://pypi.org/project/PACKAGE-NAME/)

Badge order (after CI/coverage badges):

  1. Registry version (npm or PyPI)
  2. Downloads
  3. Type support (npm types) or Python versions (PyPI)
  4. Bundle size (npm only) or status (PyPI only)

Audit Checklist

npm Project (package.json exists)

  • description present and matches README value proposition
  • keywords present with at least 3 relevant entries
  • repository present with correct URL format ({ "type": "git", "url": "git+https://..." })
  • homepage present (docs site, project page, or npm page)
  • bugs present (GitHub issues URL)
  • license present and matches LICENSE file (SPDX identifier)
  • types or typings present if TypeScript project (check for tsconfig.json)
  • files whitelist present (preferred over .npmignore)
  • author or contributors present
  • funding present (if sponsorship available)
  • README avoids npm-incompatible Markdown (relative images, Mermaid, footnotes)

PyPI Project (pyproject.toml exists)

  • [project].description present and non-empty
  • [project].readme points to README.md with correct content-type
  • [project].keywords present with at least 3 entries
  • [project].license present (SPDX expression preferred per PEP 639)
  • [project].requires-python present
  • [project.urls] has at least Homepage, Repository, and Issues (using well-known labels)
  • [project].classifiers includes relevant trove classifiers (development status, language, topic)
  • [project].authors or [project].maintainers present
  • README avoids PyPI-incompatible Markdown (heading anchors, relative images, callouts, details/summary)

Source

git clone https://github.com/littlebearapps/pitchdocs/blob/main/.claude/skills/package-registry/SKILL.mdView on GitHub

Overview

This skill guides publicly published projects through npm and PyPI metadata, covering registry-facing fields, README cross-renderer compatibility, trusted publishing prerequisites, and provenance/audit checks to ensure accurate, verifiable package pages.

How This Skill Works

Checks activate when the project contains package.json (npm) or pyproject.toml (PyPI) and is published publicly. It validates npm fields (name, version, description, keywords, homepage, repository, bugs, license, author, funding, types/typings, files) and PyPI fields (name, version, description, readme, license, requires-python, keywords, classifiers) and flags cross-renderer README consistency. It also enforces trusted publishing requirements, notably that repository.url exactly matches the GitHub URL for OIDC trust, and recommends using npm pack to inspect tarball contents before publishing.

When to Use It

  • You publish a project to npm and want the registry page to reflect accurate metadata.
  • You publish a project to PyPI and need consistent metadata and README compatibility.
  • You require cross-renderer compatibility of README across GitHub, npm, and PyPI.
  • You enforce trusted publishing and must ensure repository URLs match GitHub exactly.
  • You want to audit tarball contents before publishing to verify included files (README, LICENSE, CHANGELOG, etc.).

Quick Start

  1. Step 1: Detect registry targets by checking for package.json and/or pyproject.toml in a public project.
  2. Step 2: Audit npm and PyPI metadata fields (name, version, description, repository, license, readme, requires-python, keywords) and align for cross-renderer compatibility.
  3. Step 3: Run npm pack to inspect the tarball contents and verify that README/LICENSE/CHANGELOG and main are included before publishing.

Best Practices

  • Ensure repository.url exactly matches the GitHub repository URL (case-sensitive) for npm OIDC trusted publishing.
  • Keep npm and PyPI metadata aligned (names, descriptions, licenses, keywords) to avoid conflicting pages.
  • Maintain a clear, single README that is compatible with both npm and PyPI rendering (markdown support, content-type where applicable).
  • Include standard files in tarballs (README, LICENSE/LICENCE, CHANGELOG, and main entry) and verify with npm pack.
  • Use 5–10 relevant npm keywords and precise license identifiers (e.g., MIT, Apache-2.0) to improve discoverability.

Example Use Cases

  • An npm package published as @org/project with a GitHub repository URL matching the npm repository field, plus a PyPI project with a corresponding [project] readme and license fields.
  • A multi-registry project whose README renders correctly on npm and PyPI due to cross-renderer compatibility and consistent descriptions.
  • A package that passes trusted publishing checks by having repository.url exactly equal to https://github.com/org/repo.git.
  • A project that uses pyproject.toml [project] fields with a clear, plain-text single-line description for PyPI search results.
  • A developer runs npm pack pre-publish and confirms the tarball includes README, LICENSE, CHANGELOG, and the main field.

Frequently Asked Questions

Add this skill to your agents
Sponsor this space

Reach thousands of developers