[BUG] [FEATURE] npm publish, unpublish, and deprecate functionality needs/ requirement #47400

[ganeshkbhat]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

I recommend allowing republishing the same version v1.0.0 with a different codebase B after unpublishing a version v1.0.0 with codebase A; with a possibility to view the publish, unpublish, republish logs/ codebase, etc.

What do you see instead?

When I publish a package v1.0.0 and unpublish it, it is unpublished correctly. However, I am not able to re-publish any other codebase B/ C/ D into v1.0.0. I will not be able to re-publish the same version v1.0.0.

Additional information

NA.

I recommend allowing republishing the same version v1.0.0 with a different codebase B after unpublishing a version v1.0.0 with codebase A; with a possibility to view the publish, unpublish, republish logs/ codebase, etc.

Expected Behavior

While being unable to republish a unpublished version v1.0.0 is the current behaviour, I believe being able to re-publish a different codebase with the same version v1.0.0 after unpublish should be possible. If you are archiving publish and unpublish logs plus codebase internally in your servers for security reasons and/ or other policy reasons, I suggest you could probably archive into the servers the published-unpublished version v1.0.0, the unpublished v1.0.0 codebase A, new v1.0.0 published codebase B, and future unpublish logs, so on, for the version v1.0.0, etc.

Steps To Reproduce

What steps will reproduce the bug?

npm publish, unpublish, and deprecate functionality needs/ requirement:

• When I publish a package v1.0.0 and deprecate it, it is deprecated correctly. I will not be able to publish any other version into v1.0.0.
• When I publish a package v1.0.0 and unpublish it, it is unpublished correctly. However, I am not able to re-publish any other codebase into V1.0.0. I will not be able to re-pulish the same version v1.0.0.

How often does it reproduce? Is there a required condition?

Always.

Environment

• npm: v8.15.0
• Node.js: v18.10.0
• OS Name: Microsoft Windows NT 10.0.22621.0 x64, Linux, Mac
• System Model Name: Dell Microsoft Windows 11
• npm config: defaults

; "builtin" config from C:\Users\GB\Documents\binaries\node\node_modules\npm\npmrc

prefix = "C:\\Users\\GB\\AppData\\Roaming\\npm"

; "user" config from C:\Users\GB\.npmrc

//registry.npmjs.org/:_authToken = (protected)
msvs_version = "2019"
python = "python3.8"

; node bin location = C:\Users\GB\Documents\binaries\node\node.exe
; node version = v18.10.0
; npm local prefix = C:\Users\GB
; npm version = 8.15.0
; cwd = C:\Users\GB
; HOME = C:\Users\GB
; Run `npm config ls -l` to show all defaults.

[ganeshkbhat]

Moved to npm/cli since I was recommended this repository. nodejs/node#47400.

I am unsure if this is a node issue, npmjs website issue, or a npm/cli issue. This primarily is a major policy and data management issue of nodejs, npmjs package management; not possibily a bug.

[ljharb]

That’s by design. Once a version exists, it can never mean anything else ever again, even if it’s unpublished.

[ganeshkbhat]

What is that for? Is it a maintainence and management hell problem or a requirement of some policy or some reason?

[ljharb]

@ganeshkbhat it prevents a massive security issue where someone already depends on v1.2.3 of a package, and then suddenly v1.2.3 is republished with malicious code.

Version numbers, once used, are forever burned for anything else.

[ganeshkbhat]

Yes. I definitely missed this foresight. bad me.