npm-unpublish

Remove a package from the npm registry

TLDR

Unpublish a specific package version

$ npm unpublish [package_name]@[version]

Unpublish the entire package

$ npm unpublish [package_name] [[-f|--force]]

Unpublish a package that is scoped

$ npm unpublish @[scope]/[package_name]

Specify a timeout period before unpublishing

$ npm unpublish [package_name] --timeout [time_in_milliseconds]

To prevent accidental unpublishing, use the --dry-run flag to see what would be unpublished

$ npm unpublish [package_name] --dry-run

    The name of the package to unpublish. Required unless targeting the current working directory.

@
    The name and version of the package to unpublish. Specifying a version is highly recommended to avoid unintentionally removing all versions of a package.

--force
    Bypass all confirmation prompts. Use with extreme caution.

--registry=
    The registry to use.

--otp=
    One-time password from a two-factor authenticator.

--dry-run
    Display what the command would do without actually making any changes.

DESCRIPTION

npm unpublish removes a package version from the npm registry. This action is *destructive* and should be used with caution.

It is primarily intended for correcting mistakes, such as publishing incorrect or incomplete package versions. Removing a package that is actively used by others can break their projects, leading to significant problems. Consider deprecating the package instead of completely removing it.

The command removes the specified version of a package. If no version is provided, it will remove *all* versions of the package. The command requires authentication, using either a currently logged-in user or an authentication token provided through environment variables or command-line options.

CAVEATS

Important: Unpublishing packages is strongly discouraged. Doing so can break dependent projects and cause significant disruption to the ecosystem.

npm's policy prohibits unpublishing packages that have been published for more than 72 hours. Contact npm support for assistance in exceptional circumstances.

AUTHENTICATION

Unpublishing requires authentication to ensure only authorized users can remove packages. You must be logged in to npm with an account that has ownership rights for the package. Authentication is typically handled using `npm login`.

SCOPE

For scoped packages (e.g., `@myorg/mypackage`), you must have the appropriate permissions within the organization or scope to unpublish the package.

HISTORY

The `npm unpublish` command has been part of npm since its early versions, primarily to address accidental publications or critical errors in package releases. However, due to its destructive nature and potential impact on the ecosystem, npm has gradually introduced limitations and warnings to discourage its use.