[BUG] unpublish didn't unpublish

[borekb]

Current Behavior:

I ran npm unpublish like this:

$ npm unpublish @shoptet-temp-20201015/[email protected]
- @shoptet-temp-20201015/[email protected]

I don't quite know how to interpret the output but the exit code was 0 so assume it worked.

However, even after giving it some time (~12 hours now), the package is still there:

$ npm view @shoptet-temp-20201015/[email protected]     

@shoptet-temp-20201015/[email protected] | MIT | deps: none | versions: 1

dist
.tarball: https://registry.npmjs.org/@shoptet-temp-20201015/frontet/-/frontet-1.0.0.tgz
.shasum: 590afe1470fd87323029de779de92e8ba6128b48
.integrity: sha512-aD/xx8/8MK6dw62MjS49GFhkgXL/uNhV6MiLE0L9ygkoNZy4YPlJAz3tovhGcIeNPTnD0IpXCLWHah9QyfJ4rw==
.unpackedSize: 10.0 kB

maintainers:
- borekb <[email protected]>

dist-tags:
latest: 1.0.0  

published 2 weeks ago by borekb <[email protected]>

https://www.npmjs.com/package/@shoptet-temp-20201015/frontet/v/1.0.0

Expected Behavior:

The package version should be unpublished. Is the problem in that the package has a single version only? The unpublish command ended with exit code 0 so I assume it doesn't matter.

Environment:

• OS: macOS Catalina 10.15.7
• Node: 12.18.4
• npm: 6.14.6

[ljharb]

After 48-72 hours, no package version can ever be unpublished. Something published 2 weeks ago is there forever.

[borekb]

From https://www.npmjs.com/policies/unpublish:

Packages published more than 72 hours ago

Regardless of how long ago a package was published, you can unpublish a package that:

• no other packages in the npm Public Registry depend on
• had less than 300 downloads over the last week
• has a single owner/maintainer

The aforementioned package had about 50 installs so far (overall), no other package in the registry depends on it and it has a single owner/maintainer so all three conditions are met. Also, the output of the npm unpublish command indicates that all went smoothly.

Yet, my package version isn't unpublished. Where am I doing a mistake?

[ljharb]

Fair point.

I also don't think you can unpublish the last version of a package, regardless. Meaning, you can publish a new version, and then unpublish v1.0.0.

[borekb]

Ah! Will try that, thanks.

In that case, the "bug" is in the CLI output / exit code – it should say "cannot unpublish the latest version" or something.

[borekb]

So it turns out the problem was with auth – I'm on a new computer and was not properly logged in. After running npm login, I was actually able to publish and unpublish successfully a couple of time.

Some observations:

• npm unpublish prints a success message even if something goes horribly wrong, like auth.

• It's possible to npm unpublish even the latest version. (It is possible to unpublish all versions of a package, one by one, or do them all in one go with npm unpublish <package> --force.)

• This text in the docs is not correct, IMO:

  Unpublishing a package permanently removes the package from the registry so it is no longer available for other users to install. Once a package is unpublished, it cannot be republished. If you've unpublished a package by mistake, we'd recommend publishing again under a different name

  I was able to re-publish a package, no problem. It's just not possible to republish a specific version but the package itself can go from being in the registry, then being removed (returning 404), then being in the registry again.

• npm publish prints this on auth error which I think is slightly confusing:

  npm ERR! code E404
  npm ERR! 404 Not Found - PUT https://registry.npmjs.org/@shoptet-temp-20201015%2ffrontet - Not found
  npm ERR! 404 
  npm ERR! 404  '@shoptet-temp-20201015/[email protected]' is not in the npm registry.
  npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
  npm ERR! 404 
  npm ERR! 404 Note that you can also install from a
  npm ERR! 404 tarball, folder, http url, or git url.
  
  npm ERR! A complete log of this run can be found in:
  npm ERR!     /Users/borekb/.npm/_logs/2020-11-05T08_06_30_962Z-debug.log
  

[ljharb]

Can you try to replicate this same behavior on npm v7.0.8?

[borekb]

npm unpublish prints a success message [even though I'm not authenticated]

Behaves the same in 7.0.9.

npm publish prints [code E404 when I'm not authenticated]

Behaves the same in 7.0.9.

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

[AllanOricil]

regression #7650

[AllanOricil]

it is no longer true that you can unpublish a previous version after publishing a newer one.

[AllanOricil]

no error message, and this unpublish doesn't work, even after npm login