Cli: [BUG] `npm unpublish` should warn about mandatory 24-hour waiting period
Okay, arguments about the wisdom of allowing modules to be unpublished aside, I recently found myself wanting to "republish" a new module I'd created (persistentmap) by npm unpublish'ing it, making a couple edits, then npm publishing it under the same version. (I know, I know... I wanted to just tweak a few things in the README. Shoot me.)
Aside from the expected warning about needing to use --force, the unpublish action worked fine. However when I went to republish it, I was a met with the following:
$ npm publish
[... snip ...]
npm ERR! 403 403 Forbidden - PUT https://registry.npmjs.org/persistentmap - persistentmap cannot be republished until 24 hours have passed.
I'm sure there are good and valid reasons for this waiting period - I'm not arguing that - but to not have any warning about it was an unpleasant shock. In my case this isn't a big deal - nobody is using persistentmap yet so, fine whatever, but this could have been problematic had I decided to try this with a package that had dependents.
(Again, let's assume for the moment that most NPM users are, like me, willing to do stupid things they probably shouldn't be doing in the first place.)
It would have been nice to have had a warning about this. E.g.
$ npm --force unpublish
**Warning**: Unpublished packages may not be republished for 24 hours.
Type (Y)es to proceed: _
broofa
All 5 comments
Unpublished package versions may never be reused; “24 hours” may be referring to a period (that is now much longer) within which a package version can be unpublished?
ljharb
on 27 Feb 2020
@ljharb I get the same error, even when I bump the package version:
$ grep version package.json
"version": "1.0.1",
$ npm version patch
v1.0.2
$ npm publish
npm notice
npm notice package: [email protected]
npm notice === Tarball Contents ===
npm notice 5.3kB index.js
npm notice 2.1kB test.js
npm notice 576B package.json
npm notice 1.7kB README.md
npm notice === Tarball Details ===
npm notice name: persistentmap
npm notice version: 1.0.2
npm notice package size: 3.9 kB
npm notice unpacked size: 9.7 kB
npm notice shasum: da8eaa4d6e5bf22761ddd85dd5724e20a00ffc2b
npm notice integrity: sha512-1h+34Ff0F2n7Y[...]dTdkScT+Ushhg==
npm notice total files: 4
npm notice
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT https://registry.npmjs.org/persistentmap - persistentmap cannot be republished until 24 hours have passed.
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy.
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/kieffer/.npm/_logs/2020-02-27T16_01_28_634Z-debug.log
Hmm, that’s very confusing. Do you have any remaining published versions? Or did you unpublish every version of it?
ljharb
on 27 Feb 2020
Nope. This is a new module. The one/only version I've published is v1.0.0. I unpublished that version, tried to republish, failed, then tried to publish as v1.0.1, but that and subsequent attempts have all failed.
broofa
on 27 Feb 2020
Ah, gotcha. The 24 hour period must apply to fully unpublished packages.
What I generally do regardless (for future reference) is always publish the new version before unpublishing the old one.
ljharb
on 27 Feb 2020
Related issues
FaizenR
·
3Comments
billop
·
3Comments
millerick
·
3Comments
darcyclarke
·
3Comments
CliffS
·
3Comments
Most helpful comment
Ah, gotcha. The 24 hour period must apply to fully unpublished packages.
What I generally do regardless (for future reference) is always publish the new version before unpublishing the old one.