[avianlyric]

They have added a 24hour re-publishing cooldown for all package removals regardless of reason. Exceptions are made for the original publisher and npm staff.

Explained somewhere near the bottom of the post, basic rational is that it gives them time to notice fuckups and fix them.

[kodablah]

This does not alleviate the issue where you can reuse package names. I suppose they believe what they mark as spam packages won't be used enough or is already bad enough that reusing the name is harmless. And they probably also believe that they can catch fuckups in a day. I don't think either are necessarily true and are only true in this case because it hit popular dep trees. But what happens when something is erroneously marked as spam that's not as popular and the downstream dependents don't realize in 24 hours? If the problem is that "placeholders" are too heavy, then they could be made lighter weight or put some rules around when they will add them and when they won't.

[testplzignore]

My guess is that the cost of the placeholders is indeed what is driving their decision, though perhaps it is a premature optimization.

Maybe they've had situations where a spammer has created a very large number (millions, billions?) of packages. It's possible that the majority of user submissions are automated spam from botnets. I would assume npm has some mitigations in place to prevent this abuse in the first place, such as rate limiting and captchas, though maybe that's not enough to stem the tide.

Though, given that they say they have humans doing the package deletion, that makes me think that the number of spam packages created can't be that high. Certainly not high enough to outweigh the risks of package name reuse. Increase your prices a few pennies a month so you can afford to store the placeholders forever.