One-command tool — the fine print

Detail page for One-command tool. The highest-staleness claims, dated and sourced.

Last verified: 2026-06-07

---

A published name is public and near-permanent

Once you publish, anyone can see and install the package, and you can't overwrite or fully reclaim a name. Pick one you're happy to keep, and publish nothing secret. [confirmed]

2FA is mandatory to publish

Both PyPI and npm require two-factor to publish — a passkey or authenticator app, set up once with the account, not optional. [confirmed]

Other distribution shapes

• npm / npx is the exact same idea for a Node script — the recipient runs npx your-tool with no install. [confirmed]
• A Homebrew tap adds a polished brew install you/tools/my-tool on Mac/Linux, at the cost of extra setup (a second repo holding a formula). [confirmed]

Both are covered as asides in Package a CLI tool.

Pricing

Publishing public packages to PyPI and npm is free. [confirmed] Private hosting costs money (npm paid plans; PyPI has none) — re-check live at npmjs.com/products if you need private. [unclear] (current private pricing)

---

Sources

• PyPI — mandatory 2FA
• npm — configuring two-factor authentication
• npm publish — new packages default to public; --access restricted keeps a scoped name private
• npm products / pricing