The EINVALIDPACKAGENAME error for core modules occurs when your package name matches a Node.js built-in module like 'fs', 'http', or 'path'. Rename your package to avoid conflicts with Node.js internals.
This error occurs when you try to create or install a package with a name that matches a Node.js core module. Names like 'fs', 'http', 'path', 'util', 'events', 'stream', 'crypto', and other built-in modules are reserved. npm blocks these names to prevent confusion and potential security issues. If you could publish a package named 'fs', users might accidentally install it instead of using the built-in module, leading to unexpected behavior or malicious code execution. The validation happens both when publishing to npm and when npm parses package.json files during installation.
Node.js reserves these module names (partial list):
assert, buffer, child_process, cluster, console, constants,
crypto, dgram, dns, domain, events, fs, http, http2, https,
inspector, module, net, os, path, perf_hooks, process,
punycode, querystring, readline, repl, stream, string_decoder,
timers, tls, tty, url, util, v8, vm, worker_threads, zlibIf your package name matches any of these, you need to rename it.
Change the name in your package.json to something unique:
{
"name": "my-http-utils"
}Good naming strategies:
- Add a prefix: my-fs, acme-http
- Add a suffix: fs-extra, path-utils
- Use a scoped name: @yourname/fs
- Use a more descriptive name: file-system-helpers
Scoped names allow you to use otherwise reserved words:
{
"name": "@yourcompany/http"
}The scope (@yourcompany/) makes the name unique, even if 'http' alone would be invalid.
For public scoped packages, publish with:
npm publish --access publicIf the error appears during install, check package-lock.json for invalid entries:
# Search for suspicious entries
grep -E '"(fs|http|path|util)":' package-lock.jsonIf found, delete the lock file and reinstall:
rm package-lock.json
npm installBefore publishing, validate your name:
npx validate-npm-package-name "your-package-name"This tool checks all npm naming rules and tells you exactly what's wrong if the name is invalid.
The list of reserved names grows with each Node.js version as new core modules are added. For example, worker_threads was added in Node.js 10.5.0.
Some packages published before these restrictions exist with core module names. npm doesn't retroactively remove them, but you cannot publish new packages with these names.
If you're building a polyfill or compatibility layer for a core module, the convention is to use names like:
- readable-stream (for stream polyfill)
- path-browserify (for browser compatibility)
- buffer (special case - this one was grandfathered)
For tools that need to intercept or mock core modules (like testing frameworks), use runtime techniques rather than trying to publish packages with core module names.
npm ERR! code E401 npm ERR! 401 Unauthorized - Token has expired
Token has expired - npm authentication failure
npm ERR! code ENOAUDIT npm ERR! Audit endpoint not supported
How to fix "npm ERR! code ENOAUDIT - Audit endpoint not supported"
npm ERR! code EBADDEVENGINES npm ERR! devEngines.runtime incompatible with current node version
How to fix "npm ERR! code EBADDEVENGINES - devEngines.runtime incompatible with current node version"
npm ERR! code EAI_NODATA npm ERR! errno EAI_NODATA npm ERR! getaddrinfo EAI_NODATA registry.npmjs.org
How to fix "npm ERR! code EAI_NODATA - getaddrinfo EAI_NODATA"
npm ERR! code ETOOMANYARGS npm ERR! Too many arguments
How to fix "npm ERR! code ETOOMANYARGS - Too many arguments"