Cli: [BUG] `unpublish` didn't unpublish

After 48-72 hours, no package version can ever be unpublished. Something published 2 weeks ago is there forever.

From https://www.npmjs.com/policies/unpublish:

Packages published more than 72 hours ago

Regardless of how long ago a package was published, you can unpublish a package that:

• no other packages in the npm Public Registry depend on
• had less than 300 downloads over the last week
• has a single owner/maintainer

The aforementioned package had about 50 installs so far (overall), no other package in the registry depends on it and it has a single owner/maintainer so all three conditions are met. Also, the output of the npm unpublish command indicates that all went smoothly.

Yet, my package version isn't unpublished. Where am I doing a mistake?

Fair point.

I also don't think you can unpublish the last version of a package, regardless. Meaning, you can publish a new version, and then unpublish v1.0.0.

Ah! Will try that, thanks.

In that case, the "bug" is in the CLI output / exit code – it should say "cannot unpublish the latest version" or something.

So it turns out the problem was with auth – I'm on a new computer and was not properly logged in. After running npm login, I was actually able to publish and unpublish successfully a couple of time.

Some observations:

• npm unpublish prints a success message even if something goes horribly wrong, like auth.
• It's possible to npm unpublish even the latest version. (It is possible to unpublish all versions of a package, one by one, or do them all in one go with npm unpublish <package> --force.)

• This text in the docs is not correct, IMO:

  Unpublishing a package permanently removes the package from the registry so it is no longer available for other users to install. Once a package is unpublished, it cannot be republished. If you've unpublished a package by mistake, we'd recommend publishing again under a different name

  I was able to re-publish a package, no problem. It's just not possible to republish a specific version but the package itself can go from being in the registry, then being removed (returning 404), then being in the registry again.

• npm publish prints this on auth error which I think is slightly confusing:

  npm ERR! code E404
  npm ERR! 404 Not Found - PUT https://registry.npmjs.org/@shoptet-temp-20201015%2ffrontet - Not found
  npm ERR! 404 
  npm ERR! 404  '@shoptet-temp-20201015/[email protected]' is not in the npm registry.
  npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
  npm ERR! 404 
  npm ERR! 404 Note that you can also install from a
  npm ERR! 404 tarball, folder, http url, or git url.
  
  npm ERR! A complete log of this run can be found in:
  npm ERR!     /Users/borekb/.npm/_logs/2020-11-05T08_06_30_962Z-debug.log
  

Can you try to replicate this same behavior on npm v7.0.8?

npm unpublish prints a success message [even though I'm not authenticated]

Behaves the same in 7.0.9.

npm publish prints [code E404 when I'm not authenticated]

Behaves the same in 7.0.9.