NPM Unpublish Policy Update


So I’m not going to rehash the entire controversy that triggered the un-publishing of NPM modules that ultimately broke everyone’s build. Everyone has an opinion of whether is was right or wrong, but the only thing everyone does agree on is that this brought light to a giant flaw with the NPM ecosystem. I’m not going to comment on NPM’s original decision that sparked the controversy but I think their changes in regards to un-publishing modules is pretty logical (it was basically what I came up with in my head) – so the basics rules are now:

  • If the version is less than 24 hours old, you can unpublish it. The package will be completely removed from the registry. No new packages can be published using the same name and version. 
  • If the version is older than 24 hours, then the unpublish will fail, with a message to contact
  • If you contact support, they will check to see if removing that version of your package would break any other installs. If so, we will not remove it. You’ll either have to transfer ownership of the package or reach out to the owners of dependent packages to change their dependency.
  • If every version of a package is removed, it will be replaced with a security placeholder package, so that the formerly used name will not be susceptible to malicious squatting.


  • If another member of the community wishes to publish a package with the same name as a security placeholder, they’ll need to contact  npm will determine whether to grant this request. (Generally, we will.)

So there was a lot of criticism about the changes saying that it doesn’t address the original problem that sparked everything. I’ll give my commentary that while it doesn’t address the pre-cursor to the un-publishing of the modules, it does solve and prevent users from breaking people’s builds so I call that a win for all of us. On a completely separate topic is the question/problem of who owns a package and ultimately, it’s NPM and I will respect their rules because I ultimately benefit form them as an organization and I feel they contribute and make things better overall. So while I was annoyed with the broken builds and could assign blame to a number of parties (well, like 2) – I feel like NPM has made changes to help protect this from happening again so I ultimately am going to move on and focus on more important things (and I think everyone else should too).