I have used npm a lot, but I wonder, why should I have to pretend I accept e.g a “CC-BY-NC-ND-4.0” license with a possible danger of accidentally publishing my proprietary work in an instant, like that?
I bet I’m not alone in this…
you can give your package.json any license, you can also ward off accidental pushes by adding "private": true and adding /src to .npmignore. it is very common that publish is done via CI and that flag prevents mis-use. you could now publish your distributables safely.
as for an alternatives, not really. you don’t have to use npm directly, i think most people don’t (yarn, pnpm, bun etc), but the node package registry is practically javascripts eco system and if you use something else your clients will not go through the hassle, they will seek an alternative to your library instead. well you can in theory have your own registry but this is mostly used for companies that control their own packages.
you can give your package.json any license
As far as I remember npm init wouldn’t accept a non-valid license - of course I can change it afterwards, but it would probably not be respected.
adding
/srcto.npmignore.
Thanks, I didn’t know about that. But the instructions are a bit confusing.
Is it correct and safe to just create a .npmignore file with the following?
# npmignore
src/
out.js
out.map
Still, I have spent years for that code, I don’t like the idea to be a hair’s breadth close to be published! 
the node package registry is practically javascripts eco system and if you use something else your clients will not go through the hassle, they will seek an alternative to your library instead. well you can in theory have your own registry but this is mostly used for companies that control their own packages.
I’m working for myself - not intermediates, and my clients are ordinary people, so I wouldn’t mind to use any solution that is efficient enough.
I tried pnpm but I don’t see anything close to npm - no documentation, no support list, commands don’t work, there is the requirement to allow scripts running(!), etc (what’s going on there?) - at least that’s my first impression.
EDIT:
On a second thought, I’m not using any libraries that come with npm other than three.js, aside a few tools for development like @types/three, esbuild, etc so I don’t need to include any of their code, and therefore I might be able to get rid of npm completely…
I think "private": true in your package.json is probably what you want here, it won’t publish without that removed. From the npm docs:
Or just don’t be logged into an npm account – no way to publish without an account! If you have 2FA enabled, npm also won’t let you publish anything without doing the 2FA authentication dance.
Some companies I’ve worked with also have their own internal npm registries, and things get published there rather than to the public registry, that’s an option.
And yeah … I don’t love npm’s reliance on SPDX identifiers for licenses, personally. I wish they would choose an ID scheme that is more open to new licenses. But in any case there is a workaround for custom licenses, use SEE LICENSE IN <filename> as described here:
Thanks, through the years people used such references to external files, then it was announced that they were invalid, now they have brought them back apparently…
But the main problem in my case is to not be published at all, not just respect the license…
That’s an additional assurance thanks! (I’m already using the flag BTW).
BTW, I tried to get rid of node.js (and npm) but it was too much work for too little (limitations).
So, I’ll be using all this, but to be 100% sure… I decided to simply block the internet for node.js using an app rule on Kaspersky antivirus which is easy to set off and on, and when I’ll be updating every few months or so, I’ll make sure it will have no access to the source code files, with Folder Guard I have already installed. That might sound paranoid, but it doesn’t take more than 1-2 minutes actually.