Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] npm unpublish should warn about mandatory 24-hour waiting period #958

Closed
broofa opened this issue Feb 27, 2020 · 15 comments
Closed

[BUG] npm unpublish should warn about mandatory 24-hour waiting period #958

broofa opened this issue Feb 27, 2020 · 15 comments
Labels
Bug thing that needs fixing Release 7.x work is associated with a specific npm 7 release

Comments

@broofa
Copy link

broofa commented Feb 27, 2020

Okay, arguments about the wisdom of allowing modules to be unpublished aside, I recently found myself wanting to "republish" a new module I'd created (persistentmap) by npm unpublish'ing it, making a couple edits, then npm publishing it under the same version. (I know, I know... I wanted to just tweak a few things in the README. Shoot me.)

Aside from the expected warning about needing to use --force, the unpublish action worked fine. However when I went to republish it, I was a met with the following:

$ npm publish
[... snip ...]
npm ERR! 403 403 Forbidden - PUT https://registry.npmjs.org/persistentmap - persistentmap cannot be republished until 24 hours have passed.

I'm sure there are good and valid reasons for this waiting period - I'm not arguing that - but to not have any warning about it was an unpleasant shock. In my case this isn't a big deal - nobody is using persistentmap yet so, fine whatever, but this could have been problematic had I decided to try this with a package that had dependents.

(Again, let's assume for the moment that most NPM users are, like me, willing to do stupid things they probably shouldn't be doing in the first place.)

It would have been nice to have had a warning about this. E.g.

$ npm --force unpublish
**Warning**: Unpublished packages may not be republished for 24 hours.
Type (Y)es to proceed: _
@ljharb
Copy link
Contributor

ljharb commented Feb 27, 2020

Unpublished package versions may never be reused; “24 hours” may be referring to a period (that is now much longer) within which a package version can be unpublished?

@broofa
Copy link
Author

broofa commented Feb 27, 2020

@ljharb I get the same error, even when I bump the package version:

$ grep version package.json
  "version": "1.0.1",

$ npm version patch
v1.0.2

$ npm publish
npm notice
npm notice package: persistentmap@1.0.2
npm notice === Tarball Contents ===
npm notice 5.3kB index.js
npm notice 2.1kB test.js
npm notice 576B  package.json
npm notice 1.7kB README.md
npm notice === Tarball Details ===
npm notice name:          persistentmap
npm notice version:       1.0.2
npm notice package size:  3.9 kB
npm notice unpacked size: 9.7 kB
npm notice shasum:        da8eaa4d6e5bf22761ddd85dd5724e20a00ffc2b
npm notice integrity:     sha512-1h+34Ff0F2n7Y[...]dTdkScT+Ushhg==
npm notice total files:   4
npm notice
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT https://registry.npmjs.org/persistentmap - persistentmap cannot be republished until 24 hours have passed.
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/kieffer/.npm/_logs/2020-02-27T16_01_28_634Z-debug.log

@ljharb
Copy link
Contributor

ljharb commented Feb 27, 2020

Hmm, that’s very confusing. Do you have any remaining published versions? Or did you unpublish every version of it?

@broofa
Copy link
Author

broofa commented Feb 27, 2020

Nope. This is a new module. The one/only version I've published is v1.0.0. I unpublished that version, tried to republish, failed, then tried to publish as v1.0.1, but that and subsequent attempts have all failed.

@ljharb
Copy link
Contributor

ljharb commented Feb 27, 2020

Ah, gotcha. The 24 hour period must apply to fully unpublished packages.

What I generally do regardless (for future reference) is always publish the new version before unpublishing the old one.

@darcyclarke darcyclarke added the Bug thing that needs fixing label Oct 30, 2020
@darcyclarke
Copy link
Contributor

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.

@ljharb
Copy link
Contributor

ljharb commented Jun 2, 2021

I'm pretty sure this one is still applicable to v7, so I'll reopen and tag as such.

@ljharb ljharb reopened this Jun 2, 2021
@ljharb ljharb added the Release 7.x work is associated with a specific npm 7 release label Jun 2, 2021
@wraithgar
Copy link
Member

Currently npm does not prompt you when unpublishing, so adding something like that would constitute quite a breaking change. If this is still something you feel strongly about and would like to see added to npm in a future release, please open up an rrfc or rfc in our rfc repo.

@ljharb
Copy link
Contributor

ljharb commented Jul 1, 2021

@wraithgar i don't think printing a warning, without a prompt, would be a breaking change.

@wraithgar
Copy link
Member

@ljharb There was just a discussion at the last rfc meeting about the merits of warnings like this, so I still think an rfc discussion is the right place to make this decision.

@taejs
Copy link

taejs commented Aug 12, 2021

+1

@gabrielcsapo
Copy link

Just hit this today, it would be great to have a warning or error as there is a major cost to consumers of libraries that unpublish versions now having to wait 24 hours to get an update.

@rorcores
Copy link

Would be great if we could add a warning for this. I removed a package and republished it for some internal reasons and now I have to wait 24 hours - how could I have known this was a thing.

@miguelsolorio
Copy link

+1 to adding the warning as we ran into this and searching online led me to this issue.

@wraithgar
Copy link
Member

wraithgar commented Sep 27, 2021

A warning in the cli is likely not going to be approved because this policy is only related to one of the many registries that npm supports. This policy is only for the npm registry itself, not the github packages registry for example.

We would have a mechanism for a registry sending a response during unpublish that gets logged, and npm already supports this via the npm-notice header. The npm registry would have to start responding with this header. To the best of my knowledge the place to make this kind of request for the npm registry is https://www.npmjs.com/support

@npm npm locked as off-topic and limited conversation to collaborators Sep 27, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Bug thing that needs fixing Release 7.x work is associated with a specific npm 7 release
Projects
None yet
Development

No branches or pull requests

8 participants