Comment by alright2565

2 years ago

No, it isn't?

The unpublish document describes the options that users of NPM have to remove packages themselves. It was created after some situation where someone unpublished an important package.

A whole different set of terms governs which packages NPM can remove. This definitely includes these packages, either as "abusive" or "name squatting"

Not only that, but NPM's TOS makes it very clear that you have no recourse if they decide to remove your package for any reason.

1 comment

alright2565

Reply
3np  2 years ago

> Registry data is immutable, meaning once published, a package cannot change. We do this for reasons of security and stability of the users who depend on those packages. So if you've ever published a package called "bob" at version 1.1.0, no other package can ever be published with that name at that version. This is true even if that package is unpublished.

This statement makes assertions and sets expectations for both publishers and users. It would be senseless if npmjs would start arbitrarily "taking down" packages on their own discretion simply because they include a tea.yaml file (as proposed in the comment I replied to).