[BUG] npm unpublish should warn about mandatory 24-hour waiting period

[broofa]

Okay, arguments about the wisdom of allowing modules to be unpublished aside, I recently found myself wanting to "republish" a new module I'd created (persistentmap) by npm unpublish'ing it, making a couple edits, then npm publishing it under the same version. (I know, I know... I wanted to just tweak a few things in the README. Shoot me.)

Aside from the expected warning about needing to use --force, the unpublish action worked fine. However when I went to republish it, I was a met with the following:

$ npm publish
[... snip ...]
npm ERR! 403 403 Forbidden - PUT https://registry.npmjs.org/persistentmap - persistentmap cannot be republished until 24 hours have passed.

I'm sure there are good and valid reasons for this waiting period - I'm not arguing that - but to not have any warning about it was an unpleasant shock. In my case this isn't a big deal - nobody is using persistentmap yet so, fine whatever, but this could have been problematic had I decided to try this with a package that had dependents.

(Again, let's assume for the moment that most NPM users are, like me, willing to do stupid things they probably shouldn't be doing in the first place.)

It would have been nice to have had a warning about this. E.g.

$ npm --force unpublish
**Warning**: Unpublished packages may not be republished for 24 hours.
Type (Y)es to proceed: _

[ljharb]

Unpublished package versions may never be reused; “24 hours” may be referring to a period (that is now much longer) within which a package version can be unpublished?

[broofa]

@ljharb I get the same error, even when I bump the package version:

$ grep version package.json
  "version": "1.0.1",

$ npm version patch
v1.0.2

$ npm publish
npm notice
npm notice package: [email protected]
npm notice === Tarball Contents ===
npm notice 5.3kB index.js
npm notice 2.1kB test.js
npm notice 576B  package.json
npm notice 1.7kB README.md
npm notice === Tarball Details ===
npm notice name:          persistentmap
npm notice version:       1.0.2
npm notice package size:  3.9 kB
npm notice unpacked size: 9.7 kB
npm notice shasum:        da8eaa4d6e5bf22761ddd85dd5724e20a00ffc2b
npm notice integrity:     sha512-1h+34Ff0F2n7Y[...]dTdkScT+Ushhg==
npm notice total files:   4
npm notice
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT https://registry.npmjs.org/persistentmap - persistentmap cannot be republished until 24 hours have passed.
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/kieffer/.npm/_logs/2020-02-27T16_01_28_634Z-debug.log

[ljharb]

Hmm, that’s very confusing. Do you have any remaining published versions? Or did you unpublish every version of it?

[broofa]

Nope. This is a new module. The one/only version I've published is v1.0.0. I unpublished that version, tried to republish, failed, then tried to publish as v1.0.1, but that and subsequent attempts have all failed.

[ljharb]

Ah, gotcha. The 24 hour period must apply to fully unpublished packages.

What I generally do regardless (for future reference) is always publish the new version before unpublishing the old one.

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.

[ljharb]

I'm pretty sure this one is still applicable to v7, so I'll reopen and tag as such.

[wraithgar]

Currently npm does not prompt you when unpublishing, so adding something like that would constitute quite a breaking change. If this is still something you feel strongly about and would like to see added to npm in a future release, please open up an rrfc or rfc in our rfc repo.

[ljharb]

@wraithgar i don't think printing a warning, without a prompt, would be a breaking change.

[wraithgar]

@ljharb There was just a discussion at the last rfc meeting about the merits of warnings like this, so I still think an rfc discussion is the right place to make this decision.

[taejs]

+1

[gabrielcsapo]

Just hit this today, it would be great to have a warning or error as there is a major cost to consumers of libraries that unpublish versions now having to wait 24 hours to get an update.

[rorcores]

Would be great if we could add a warning for this. I removed a package and republished it for some internal reasons and now I have to wait 24 hours - how could I have known this was a thing.

[miguelsolorio]

+1 to adding the warning as we ran into this and searching online led me to this issue.

[wraithgar]

A warning in the cli is likely not going to be approved because this policy is only related to one of the many registries that npm supports. This policy is only for the npm registry itself, not the github packages registry for example.

We would have a mechanism for a registry sending a response during unpublish that gets logged, and npm already supports this via the npm-notice header. The npm registry would have to start responding with this header. To the best of my knowledge the place to make this kind of request for the npm registry is https://www.npmjs.com/support