npm Implements Stricter Unpublishing Rules
In a notable incident, the maintainer of left-pad was able to remove the package from npm, causing disruption due to its widespread use in the community.
Following this event on March 23rd, 2016, npm released a detailed post-mortem report outlining their plans for preventing similar issues:
To prevent breakage of other packages, we are implementing stricter measures when it comes to unpublishing versions of packages.
An update was rolled out by npm on March 29th, 2016:
If an unpublished version is older than 24 hours, the attempt will fail and users will be directed to contact [email protected].
More recently, in January 2020, npm announced an even more stringent update, which is still in effect today as outlined in their unpublish policy:
Packages published less than 72 hours ago
Newly published packages can be removed within the first 72 hours provided no other packages depend on them in the registry.
Packages published more than 72 hours ago
For older packages, they can only be unpublished if they meet specific criteria such as no dependencies, low downloads, and being owned by a single maintainer.
This updated policy effectively prevents critical packages like left-pad from being removed abruptly.
npm Protects Against Malicious Package Publishing
Another important change addressed by npm was the prevention of malicious packages being uploaded under abandoned names, a potential security risk that thankfully did not happen with left-pad. This safeguard was put into place following the same incident mentioned earlier in the initial post-mortem report:
If a widely used package is unpublished, npm will replace it with a placeholder package to deter immediate adoption of the name. Interested parties can still obtain the abandoned name by contacting npm support.