Warn user if "npm deprecate" will result in deprecating the entire package


(Rhys Arkins) #1

npmjs will flag an entire package as deprecated if whatever version is tagged as latest is deprecated. This usually makes sense, but not always.

Here are some scenarios where deprecating the package is unintentional:

Deprecation scenario 1:

  • Version 1.0.1 is published with a bad fault
  • Package author deprecates 1.0.1 thinking this means that everyone will go back to installing 1.0.0 again

Deprecation scenario 2:

  • Version 2.4.0 is latest
  • Author intends to update to 3.0.0 with a breaking change and deprecate 2.x
  • Author runs npm deprecate on 2.4.0 before publishing 3.0.0

In both cases, the author ends up with a deprecated package and may not even be aware. This has happened with some popular packages, such as debug (20 million downloads a week) earlier today:

I think that this could be prevented if the npm deprecate command was enhanced to warn the user “This will deprecate the entire package on npmjs - are you sure you want to continue?” and maybe adding “Publish a new latest version or roll back latest to an earlier version first if you do not wish to deprecate the entire package with this command”.


(Qix) #2

I don’t think it’s deprecating the “entire package” on NPM. It’s looking to see if the version tagged with “latest” is deprecated and showing that message.

The phrasing seems weird, as all of the npm deprecate commands had very specific ranges added to them. It’s obvious the intent of the npm deprecate command wasn’t to deprecate the entire package, but that’s not what the message reflects.

I do agree that adding an intuitive warning about tags would be helpful, especially in scenarios similar to the above.