`npm unpublish -f` give strange unhelpful console outputs

Note: sorry for not following the issue template, it was bothering me, I will go right to the point.


I wanted to unpublish my entire package, which I created just for testing purposes. I executed npm unpublish -f from the folder containing my package.json, thinking that npm would infer the package name from it. I expected it to simply work. But NPM goes crazy.

Reproduction Steps

Note: I used quick-test-unpublish-querty as a package name, but to reproduce you will have to use a different one I guess, since now this name is taken.

  • Step 1. mkdir quick-test-unpublish-querty && cd quick-test-unpublish-querty
  • Step 2. npm init -y
  • Step 3. Create a dummy README.md just in case
  • Step 4. npm publish
  • Step 5. Check that it is really published, ok
  • Step 6. npm unpublish -f - observe the following unhelpful output:
npm WARN using --force I sure hope you know what you are doing.
  • Step 7. Run it a second time npm unpublish -f: observe the weirdest output:
npm WARN using --force I sure hope you know what you are doing.
npm ERR! code E403
npm ERR! 403 Forbidden - DELETE https://registry.npmjs.org/quick-test-unpublish-querty/-rev/1-0526bac33a57c4e587540f30f3e8efad - You do not have permission to publish "quick-test-unpublish-querty". Are you logged in as the correct user?
  • Step 8. Astonishingly observe that the package was actually unpublished somehow.


While we’re at it, calling npm unpublish -f from a folder which does not have a package.json gives a sligthly better error message but it could still be improved:

$ npm unpublish -f
npm WARN using --force I sure hope you know what you are doing.
npm ERR! Usage: undefined

I think a better error message such as Missing package name or something would be better.

I would also like to suggest that calling npm unpublish -f should never work. Even when inside the package folder, I think it would be safer to require the package name regardless. This could work as a safety measure, just like when we want to delete a repository on GitHub and we have to type its name (to make sure we’re not deleting the wrong thing)!

Platform Info

$ npm --versions
{ npm: '6.8.0',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.15.0',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '',
  zlib: '1.2.11' }
$ node -p process.platform

Is there anything else I should do with this bug report? Looks like it went unnoticed.

Nothing else to do, and it was noticed. If you look at the top by the bright “bugs” you can see tags have been added for “triaged”, “cli”, “help-wanted”, and “good-first-patch”.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.