The EINVALIDPACKAGENAME error for core modules occurs when your package name matches a Node.js built-in module like 'fs', 'http', or 'path'. Rename your package to avoid conflicts with Node.js internals.
This error occurs when you try to create or install a package with a name that matches a Node.js core module. Names like 'fs', 'http', 'path', 'util', 'events', 'stream', 'crypto', and other built-in modules are reserved. npm blocks these names to prevent confusion and potential security issues. If you could publish a package named 'fs', users might accidentally install it instead of using the built-in module, leading to unexpected behavior or malicious code execution. The validation happens both when publishing to npm and when npm parses package.json files during installation.
Node.js reserves these module names (partial list):
assert, buffer, child_process, cluster, console, constants,
crypto, dgram, dns, domain, events, fs, http, http2, https,
inspector, module, net, os, path, perf_hooks, process,
punycode, querystring, readline, repl, stream, string_decoder,
timers, tls, tty, url, util, v8, vm, worker_threads, zlibIf your package name matches any of these, you need to rename it.
Change the name in your package.json to something unique:
{
"name": "my-http-utils"
}Good naming strategies:
- Add a prefix: my-fs, acme-http
- Add a suffix: fs-extra, path-utils
- Use a scoped name: @yourname/fs
- Use a more descriptive name: file-system-helpers
Scoped names allow you to use otherwise reserved words:
{
"name": "@yourcompany/http"
}The scope (@yourcompany/) makes the name unique, even if 'http' alone would be invalid.
For public scoped packages, publish with:
npm publish --access publicIf the error appears during install, check package-lock.json for invalid entries:
# Search for suspicious entries
grep -E '"(fs|http|path|util)":' package-lock.jsonIf found, delete the lock file and reinstall:
rm package-lock.json
npm installBefore publishing, validate your name:
npx validate-npm-package-name "your-package-name"This tool checks all npm naming rules and tells you exactly what's wrong if the name is invalid.
The list of reserved names grows with each Node.js version as new core modules are added. For example, worker_threads was added in Node.js 10.5.0.
Some packages published before these restrictions exist with core module names. npm doesn't retroactively remove them, but you cannot publish new packages with these names.
If you're building a polyfill or compatibility layer for a core module, the convention is to use names like:
- readable-stream (for stream polyfill)
- path-browserify (for browser compatibility)
- buffer (special case - this one was grandfathered)
For tools that need to intercept or mock core modules (like testing frameworks), use runtime techniques rather than trying to publish packages with core module names.
npm error code ENOENT npm error syscall spawn git npm error path git npm error errno -4058 npm error enoent An unknown git error occurred
How to fix "spawn git ENOENT" in npm
npm error code E401 npm error Incorrect or missing password.
How to fix 'E401 Unable to authenticate' errors with npm private registries
npm notice access token expired or revoked. Please try logging in again.
Token has expired - npm authentication failure
npm ERR! code EAI_AGAIN
How to fix "EAI_AGAIN" in npm
npm error code E403 npm error 403 Forbidden - PUT https://registry.npmjs.org/<package>
How to fix 'E403 Forbidden' error in npm