npm publish tags

Posted: Dec 4, 2025

Last modified: Nov 11, 2025

Tags:

One thing that wasn't clear to me when first getting into publishing packages, was how tags work.

I was used to how tagging worked in something like WordPress. I can apply multiple tags to a blog post and the same tag to multiple posts. But that isn't how tagging works with npm packages.

A tag can only be applied to a single version of a package.

By default npm applies the latest tag when publishing a package and you don't specify any tags. That means if there is an existing version that already has the latest tag, it is removed from the version and placed on the package just published.

Security releases to past versions

I came across this issues when trying to figure out a pattern for publishing security release to past major versions.

Look at this sequence of releases:

v1.0.0
v2.0.0
v1.0.1

If we don't specify tags on any of these releases, v1.0.1 will end up with the latest tag. We don't actually want that since v2.0.0 is still the latest release that we want installed by default, v1.0.1 is just a security release for an older version.

Legacy Tag?

I'm contemplating adding the tag legacy to older security releases so that it doesn't replace the actual latest version by putting the latest tag on the security release.

I've looked into publishing an npm package with no tag but haven't figure that out yet.

A legacy tag isn't such a bad idea anyway since it would be nice to see what the latest security release it for older versions when going to the npm page.