Hacker News new | ask | show | jobs
by byte1918 2453 days ago
The NPM fiasco should no longer be possible

If you want to unpublish a package after 72 hours have passed, contact npm Support. For more information about why we don’t allow users to unpublish packages after 72 hours, see our unpublish policy.

https://docs.npmjs.com/unpublishing-packages-from-the-regist...
4 comments
celticninja 2453 days ago
Could you just publish garbage instead?
link
yoz-y 2453 days ago
You could but everybody uses version pinning in production, right?
link
emsy 2452 days ago
People who are serious about reproducible builds host their own repos. Most people probably don’t know the difference between ^1.0.1 and ~1.0.1
link
bakuninsbart 2452 days ago
Thanks for making me look that up!
link
delfinom 2452 days ago
If only npm's version pinning actually version pinned without idiotic subrules. package-lock.json is just one massive lie.
link
minitech 2452 days ago
What do you mean?
link
jpangs88 2453 days ago
Versioned garbage, but yeah you could. It would just make a new version not work which isn't as harmful as taking away a package.
link
leppr 2453 days ago
It was never possible without "admin" intervention. That whole inccident was NPM's sole responsibility.
link
minitech 2452 days ago
That’s… plainly wrong. `npm unpublish --force your-package` would really just unpublish your package.
link
leppr 2452 days ago
Okay that's embarrassing thanks. Hard to believe it took so long before being the left-pad debacle happened.
link
precisioncoder 2452 days ago
Doesn't the code still technically belong to you? Can't you submit a takedown request?
link
jrockway 2452 days ago
It belongs to you but you distributed it with a license that gives away some of your rights.
link
Crinus 2453 days ago
Not sure how npm works in detail, doesn't it pull directly from devs' repositories? In that case can't the devs just publish an update that breaks everything?
link
julianwachholz 2453 days ago
This wouldn't be as big of a problem with version pinning.
link
parsimo2010 2453 days ago
npm allows for installation of specific versions. So even if a dev publishes a new version that breaks you can select a previous version known to work. A good dev shouldn’t be updating willy-nilly to the latest version just because it’s the latest. They ought to spec a particular version and update after testing.
link
monocasa 2452 days ago
Doesn't npm allow a dev to replace or redact already released versions?
link