Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Npm Updates Policy on Removing Packages

Npm Updates Policy on Removing Packages

On the heels of a dramatic moment in JavaScript history, npm has announced an updated policy that governs what happens when users want to unpublish a package.

The new policy states that:

  • Package versions less than 24 hours old can be unpublished.
  • Packages older than 24 hours will require contact with npm support.
  • If npm support is involved, npm will check to determine if a package version has any dependents. If there are, they will not unpublish it.
  • If all versions of a package are removed, npm will drop-in a placeholder package to keep future users from unknowingly referencing a potentially malicious replacement.

In a blost post describing the new policy, npm provided examples of various situations and how the new policy would apply.

Looking back at the recent issue of the unpublished left-pad package, the new rules would have kept the author Azer Koçulu from unpublishing it because it was older than 24 hours and it had many dependents.

Npm says that having the ability to unpublish a package is important, but that it's important for individuals to bear their responsibility to the community:

There are important and legitimate reasons for the feature, so we have no intention of removing it, but now we’re significantly changing how unpublish behaves and the policies that surround it. This policy is a first step towards balancing the rights of individual publishers with npm’s responsibility to maintain the social cohesion of the open source community.

The community response has been mixed, but a thread on reddit presented a reminder of what it means to open-source code.

Rate this Article