test what is described at https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry#publishing-a-package
the package is NOT set to "private" in its package.json
,
instead the "publishConfig" was pinned.
this is an optional thing, that helped me not to publish this package on npmjs.org by accident.