Why does the validator say my package name is invalid when npm accepted it?

**npm has looser rules today than it used to**, but the validator follows the **strict rules from the docs**. A valid npm package name: - is **at most 214 characters** - contains only **lowercase letters, digits, dashes, underscores and dots** - **does not start with a dot or underscore** - **contains no spaces or uppercase letters** - optionally starts with a **scope** (`@company/package`) Old packages on npm sometimes break these rules (they were registered before validation existed). For a **new package** the validator helps you avoid future problems: some tooling (Verdaccio, private registries, GitHub Packages) is stricter than the main npm registry.

What does it mean that the version must be SemVer?

**SemVer (Semantic Versioning)** is the standard **`MAJOR.MINOR.PATCH`** format: - **MAJOR** (e.g. `2.x.x`), change this when you break the **public API** (breaking change) - **MINOR** (e.g. `1.4.x`), add functionality in a backwards-compatible way - **PATCH** (e.g. `1.0.7`), fix a bug without adding features Valid: `1.0.0`, `2.5.3`, `0.0.1`, `3.0.0-beta.2`, `1.0.0+build.5`. **Invalid**: `1.0` (missing PATCH), `v1.0.0` (with the letter `v`), `latest`, `*`. npm requires SemVer for **every published package**, the validator checks the exact same regex as `semver.valid()`.

Why is mixing `^`, `~` and exact versions a problem?

**It is not an error**, but it is a **warning sign**. Each of these prefixes means something different: - **`"react": "^18.2.0"`**, npm installs **any 18.x.x**, latest minor/patch - **`"react": "~18.2.0"`**, npm installs **any 18.2.x**, latest patch only - **`"react": "18.2.0"`**, npm installs **exactly 18.2.0**, nothing else **Mixing is a problem** because: - **unpredictability**, different packages in the same project behave differently on `npm update` - **hard code review**, the reader does not know whether the author meant `^` deliberately or just typed something random - **regression debugging**, when one package breaks after an update, you do not know whether it was `^` or `~` **You usually pick one style**: the whole project on `^` (npm default and most libraries) or the whole project on exact pins (Renovate / Dependabot manages updates).

Why are `"latest"` or `"*"` versions a bad idea?

**Because they break reproducible builds.** `"react": "*"` means "any version of React in npm". Today you get **18.2.0**, tomorrow you might get **19.0.0** with breaking changes, **and you find out from a 3am production page**. `"latest"` is exactly the same thing written differently. **The lock-file (`package-lock.json`) helps**, but: 1) if someone deletes node_modules and the lock-file together, you will not get what you expect; 2) on a different dev machine the first `npm install` can pull a different version. **The validator flags this red**, treat it as must-fix before publishing or merging.

What are "peer dependencies" and why does the validator hunt for missing ones?

**Peer dependencies** are packages your library **assumes the user already has installed**. Most common example: you write a **React plugin**, so you declare: ```json "peerDependencies": { "react": ">=18" } ``` **Your library does not install React itself**, it expects the host project to already have it. **But**: if you use React in tests or in dev mode, **you must also list it in `devDependencies`**, otherwise `npm install` in your own repo will not work. The validator detects this case: **peer is there, dev is missing**, add it to devDeps. It does not block publishing, but it saves your CI builds.

What does the scripts graph show that the raw file does not?

**The call chain.** In raw JSON you see: ```json "scripts": { "release": "npm run build && npm publish", "build": "npm run clean && tsc", "clean": "rimraf dist", "test": "vitest" } ``` This is a **flat list**. The validator parses each script, finds **`npm run X`, `pnpm X`, `yarn X`** inside, and draws: - **`release`** → calls `build` - **`build`** → calls `clean` - **`clean`** → standalone (runs `rimraf`) - **`test`** → standalone You see the whole **execution tree**: what happens when you run `npm run release`. This is priceless on projects with **30+ scripts** where nobody remembers what depends on what.

Why is the "license" field so important?

**Without a license, your package is legally unusable.** For many companies, **no license = All Rights Reserved by default**, which means an employee **cannot use the package** in a commercial project. This is a real reason why a package with a million downloads might be skipped in favor of a less popular one with a clear **MIT**. **Most common values**: - **MIT**, most broadly accepted, very permissive, works everywhere - **Apache-2.0**, similarly permissive, adds patent protection - **ISC**, simplified MIT, used by npm as the default - **GPL-3.0**, copyleft, requires opening the source of any project using it **SPDX format**: use the codes from [spdx.org/licenses](https://spdx.org/licenses), not "MIT License", just `"license": "MIT"`. npm and compliance tools (FOSSA, Snyk) only parse SPDX codes.

What are `main`, `module` and `types` for?

Three different **entry points** for different consumers of your package: - **`main`**, the classic **CommonJS** entry (`require('my-package')`). Points at `./dist/index.cjs` or `./dist/index.js`. - **`module`**, the **ESM** entry (`import x from 'my-package'`). Points at `./dist/index.mjs` or `./dist/index.esm.js`. - **`types`**, the file with **TypeScript declarations** (`./dist/index.d.ts`). **Modern packages** also add an **`exports`** field that replaces all three and allows **conditional exports** (different code for Node.js vs browser, dev vs production). The validator shows which of these you have and flags clearly typoed paths like `./dis/index.js` (we cannot check the filesystem, but we warn on the obvious cases).

Why is "private": true sometimes a lifesaver?

**Because it saves you from accidental publishing to npm.** Classic story: you work on an **internal company project** with the name `acme-internal-tools` in the file. Some dev (or CI) runs `npm publish`. **The whole world learns about your internal package**, plus you lose the name in the public registry. `"private": true` in `package.json` **blocks `npm publish`** completely, npm refuses with an error. Use it **always** in: - **monorepo workspaces** (the root `package.json` is usually private) - **applications** (not libraries, e.g. your Next.js app) - **private company projects** The validator does not treat a missing `private` as an error, but when it sees `"private": true` it understands the context and **stops complaining about a missing license or description** (you are not publishing, so you do not need them).

package.json validator - free

package.json

Paste the contents of your package.json file.

{
  "name": "awesome-toolkit",
  "version": "1.4.2",
  "description": "A friendly toolkit for building delightful CLIs.",
  "type": "module",
  "main": "./dist/index.cjs",
  "module": "./dist/index.mjs",
  "types": "./dist/index.d.ts",
  "license": "MIT",
  "author": "Jane Developer <jane@example.com>",
  "homepage": "https://github.com/example/awesome-toolkit",
  "repository": {
    "type": "git",
    "url": "https://github.com/example/awesome-toolkit.git"
  },
  "scripts": {
    "build": "npm run clean && tsc",
    "clean": "rimraf dist",
    "test": "vitest",
    "lint": "eslint .",
    "release": "npm run build && npm publish",
    "prepare": "npm run build"
  },
  "dependencies": {
    "chalk": "^5.3.0",
    "commander": "^11.1.0",
    "typescript": "^5.4.0",
    "zod": "^3.22.4"
  },
  "devDependencies": {
    "@types/node": "^20.11.0",
    "eslint": "^8.56.0",
    "rimraf": "^5.0.5",
    "typescript": "^5.4.0",
    "vitest": "^1.2.0"
  },
  "peerDependencies": {
    "react": ">=18"
  }
}

1,010 chars · 41 lines

Status

Looks good

Metadata

Key fields from the package.

Package name

awesome-toolkit

Version

1.4.2

Description

A friendly toolkit for building delightful CLIs.

Module type

ES Modules

Entry point (main)

./dist/index.cjs

ESM entry (module)

./dist/index.mjs

TypeScript types file

./dist/index.d.ts

License

MIT

Author

Jane Developer <jane@example.com>

Homepage

https://github.com/example/awesome-toolkit

Repository

https://github.com/example/awesome-toolkit.git

Private package

Required fields

name and version are required when publishing.

Package namepresent

Every package needs a unique name - it identifies the package on npm and in imports.

Versionpresent

A semver version (e.g. 1.2.3) is mandatory; npm will refuse to publish without it.

Descriptionpresent

A short description helps people find your package on npm and shows up on the package page.

Licensepresent

Without a license nobody knows whether they can legally use your code - MIT or Apache-2.0 are common picks.

Repositorypresent

A repository link makes it easy to report bugs and inspect the source of your package.

Scriptspresent

Scripts (build, test, dev, etc.) document how to run the project - without them new contributors are stuck.

Scripts

Commands defined in the scripts field.

build

npm run clean && tsc

→ calls:clean

← called by:releaseprepare

clean

rimraf dist

← called by:build

teststandalone

vitest

lintstandalone

eslint .

release

npm run build && npm publish

→ calls:build

prepare

npm run build

→ calls:build

Dependencies

Package counts across buckets.

dependencies

devDependencies

peerDependencies

optionalDependencies

Semver range breakdown

Issues and tips

Duplicate dependency
typescript appears in both dependencies and devDependencies - keep it in one section only.
Missing peer dependency
react is required as a peer but is not in your dependencies - add it, or accept the warning intentionally.

What is actually in your package.json? Check before you ship

Your `package.json` is about to land in npm. Or in CI. Or get pasted into a monorepo nobody has cleaned up in two years. The question: is this file actually OK? Is the name valid, the version proper SemVer, do you have the same package in both `dependencies` and `devDependencies`, will `"react": "*"` blow up the next time someone runs npm install.

You paste the whole file into the textarea. The validator does four things:

checks whether it is valid JSON at all (most common bug: a trailing comma after the last field);
validates the npm schema: name matches registry rules, version is proper SemVer, root is an object;
draws a graph of your scripts: which script calls which (e.g. `build` calls `clean` and `compile`), so you can immediately see what happens when you run `npm run release`;
audits dependencies: duplicates between deps and devDeps, wildcards (`"*"`, `"latest"`), mixed styles (`^` vs `~` vs exact pins), missing peers.

Everything runs locally in your browser. Nothing leaves the page, so you can safely paste your company's `package.json`, no one outside your computer sees the dependency names, private registry paths, or script names.

How to use it

Paste the whole `package.json` into the big textarea at the top. If you just want to see how this works, click Load sample, the validator will load an example package with one intentionally left issue.

The "Validity" card shows the result green or red right away. Green = the JSON parses and the npm schema is satisfied. Red = click through the error list to see the exact things to fix.

The "Metadata" card shows the name, version, module type (ESM or CommonJS), license, repository in a readable layout instead of you scanning through raw JSON.

The "Scripts" card draws the graph: which script calls which. You see `build` → `clean` + `compile` → `tsc`. Priceless on an inherited project with 30 scripts.

The "Dependencies" card counts packages across four sections (deps / devDeps / peerDeps / optional) and lists detected issues: duplicates, wildcards, missing peers, mixed version styles.

The "Required fields" card is a green or amber checklist: name, version, description, license, scripts, repository. You know immediately what is missing before this package can be published to npm.

Click Format if you pasted a single-line `package.json` and want a readable output to copy back.

When this is useful

Five situations where the validator saves you an hour of CI debugging:

Before your first `npm publish`. A package is going to npm for the first time. The validator checks whether the name is valid (bad characters = registry rejects), whether the version is SemVer, and whether you have a license. Without it you find out only after `npm publish` when the publish fails.
Code review on a monorepo pull request. Someone added a package. You paste its `package.json` into the validator and instantly see **`"react": "*"` in deps**. You comment on the PR before merging something that will break on the next update.
Audit of a project you are about to inherit. You take over a legacy project where 47 scripts call each other. The validator draws the graph, you see that `release` calls `build`, which calls `compile`, which calls `tsc`. A road map instead of reading 47 lines top to bottom.
Figuring out why CI fails on `npm ci`. The CI build will not pass. You paste `package.json` and see: `package-x` is in both deps and devDeps, the lock-file gets confused, `npm ci` picks different versions. The validator surfaces this as a red issue.
Migrating from npm to pnpm or yarn. Before the migration you paste both `package.json` files (old and new) and check whether peer dependencies are consistent, whether wildcards are gone (pnpm is less forgiving), and whether scripts form a sensible graph.

Questions and answers

No. All validation runs in your browser. The file never leaves your computer, there is no API on the other side. You can safely paste a company `package.json` with private package names, internal registry paths, or script names like `deploy-staging`. The validator works 100% offline after the page first loads, you can even disconnect from the internet and it will still work.

What is actually in your package.json? Check before you ship

You paste the whole file into the textarea. The validator does four things:

checks whether it is valid JSON at all (most common bug: a trailing comma after the last field);
validates the npm schema: name matches registry rules, version is proper SemVer, root is an object;
draws a graph of your scripts: which script calls which (e.g. `build` calls `clean` and `compile`), so you can immediately see what happens when you run `npm run release`;
audits dependencies: duplicates between deps and devDeps, wildcards (`"*"`, `"latest"`), mixed styles (`^` vs `~` vs exact pins), missing peers.

How to use it

The "Validity" card shows the result green or red right away. Green = the JSON parses and the npm schema is satisfied. Red = click through the error list to see the exact things to fix.

The "Metadata" card shows the name, version, module type (ESM or CommonJS), license, repository in a readable layout instead of you scanning through raw JSON.

The "Scripts" card draws the graph: which script calls which. You see `build` → `clean` + `compile` → `tsc`. Priceless on an inherited project with 30 scripts.

The "Dependencies" card counts packages across four sections (deps / devDeps / peerDeps / optional) and lists detected issues: duplicates, wildcards, missing peers, mixed version styles.

Click Format if you pasted a single-line `package.json` and want a readable output to copy back.

When this is useful

Five situations where the validator saves you an hour of CI debugging:

Before your first `npm publish`. A package is going to npm for the first time. The validator checks whether the name is valid (bad characters = registry rejects), whether the version is SemVer, and whether you have a license. Without it you find out only after `npm publish` when the publish fails.
Code review on a monorepo pull request. Someone added a package. You paste its `package.json` into the validator and instantly see **`"react": "*"` in deps**. You comment on the PR before merging something that will break on the next update.
Audit of a project you are about to inherit. You take over a legacy project where 47 scripts call each other. The validator draws the graph, you see that `release` calls `build`, which calls `compile`, which calls `tsc`. A road map instead of reading 47 lines top to bottom.
Figuring out why CI fails on `npm ci`. The CI build will not pass. You paste `package.json` and see: `package-x` is in both deps and devDeps, the lock-file gets confused, `npm ci` picks different versions. The validator surfaces this as a red issue.
Migrating from npm to pnpm or yarn. Before the migration you paste both `package.json` files (old and new) and check whether peer dependencies are consistent, whether wildcards are gone (pnpm is less forgiving), and whether scripts form a sensible graph.

Questions and answers

package.json validator

What is actually in your package.json? Check before you ship

How to use it

When this is useful

Questions and answers

Related tools

JWT decoder

UUID Generator

package.json validator

What is actually in your package.json? Check before you ship

How to use it

When this is useful

Questions and answers

Related tools

JWT decoder

UUID Generator