BT

Npm Updates Policy on Removing Packages

| by David Iffland Follow 4 Followers on Mar 31, 2016. Estimated reading time: 1 minute |

On the heels of a dramatic moment in JavaScript history, npm has announced an updated policy that governs what happens when users want to unpublish a package.

The new policy states that:

  • Package versions less than 24 hours old can be unpublished.
  • Packages older than 24 hours will require contact with npm support.
  • If npm support is involved, npm will check to determine if a package version has any dependents. If there are, they will not unpublish it.
  • If all versions of a package are removed, npm will drop-in a placeholder package to keep future users from unknowingly referencing a potentially malicious replacement.

In a blost post describing the new policy, npm provided examples of various situations and how the new policy would apply.

Looking back at the recent issue of the unpublished left-pad package, the new rules would have kept the author Azer Koçulu from unpublishing it because it was older than 24 hours and it had many dependents.

Npm says that having the ability to unpublish a package is important, but that it's important for individuals to bear their responsibility to the community:

There are important and legitimate reasons for the feature, so we have no intention of removing it, but now we’re significantly changing how unpublish behaves and the policies that surround it. This policy is a first step towards balancing the rights of individual publishers with npm’s responsibility to maintain the social cohesion of the open source community.

The community response has been mixed, but a thread on reddit presented a reminder of what it means to open-source code.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Monolithic... by Mark N

bad

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT