Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RRFC] Option to Unpublish Specific Package Versions, Including Those with Dependents #805

Closed
aryamohanan opened this issue Nov 13, 2024 · 4 comments
Closed

[RRFC] Option to Unpublish Specific Package Versions, Including Those with Dependents #805

aryamohanan opened this issue Nov 13, 2024 · 4 comments

Comments

@aryamohanan
Copy link

aryamohanan commented Nov 13, 2024
edited
Loading

Motivation ("The Why")

Currently, npm does not provide maintainers with the ability to unpublish a specific version of a package if the package has dependents, even if the specific version itself has none. This limitation can create issues when a version was mistakenly published, has minimal downloads, or is no longer relevant. Providing maintainers with more control over individual versions would help maintain cleaner and more accurate package registries, reduce user confusion, and empower maintainers to manage their packages effectively without impacting the entire package.

Example

For instance, in our case, version 5.0.0 of a package was mistakenly published instead of version 4. While the package as a whole has a few dependents, this specific version (5.0.0) has no active dependents, very few downloads(~2), and is no longer in use. If we could unpublish this specific version, it would help prevent unnecessary versions from cluttering the registry and make it easier for users to find the correct, active versions.

How

Current Behaviour

Currently, npm restricts maintainers from unpublishing specific versions of a package when the package has dependents. The only available options are to unpublish the entire package or unpublish versions with no dependents and minimal downloads. This limitation forces maintainers to keep outdated or mistakenly published versions that clutter the registry and complicate package management.

Desired Behaviour

Allow package maintainers to unpublish a specific version of a package, even if it has dependents, as long as it meets the following criteria:

  • The version has a low number of downloads (to be determined by npm’s current metrics).
  • The version itself has no dependents.

This change would give maintainers greater control over their packages, allowing them to remove unnecessary versions without affecting the entire package.

References
@ljharb
Copy link
Contributor

ljharb commented Nov 13, 2024

This wouldn't be a CLI change (and thus not really an RFC), it'd be a registry policy change. I'd like to see it happen, as well, to be clear.

@aryamohanan
Copy link
Author

We have already created an npm support ticket and received the following response from support:

"We take your feedback into consideration and it will help us prioritize what comes next in our backlog. We have some ideas on how we can improve the publishing processes to prevent such accidents as users mistakenly setting a wrong version."

This response gives us hope that npm will consider this request. I will also raise the issue in community discussions, as it is important to give maintainers more control over their packages.

@aryamohanan
Copy link
Author

I have started a discussion here https://github.com/orgs/community/discussions/144533

@monishcm
Copy link

Closing this issue as this is a registry change and the community discussion would suffice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ljharb @monishcm @aryamohanan