Laurie Voss

Un-un-publishing is an unprecedented action that we're taking given the severity and widespread nature of breakage, and isn't done lightly.

This action puts the wider interests of the community of npm users at odds with the wishes of one author; we picked the needs of the many.

Even within npm we're not unanimous that this was the right call, but I cannot see hundreds of builds failing every second and not fix it.

left-pad@0.0.3 is now restored to the registry. Run npm cache clear before attempting your installs again. This sucked and we're sorry.

This whole situation sucks. We will be carefully considering the issues raised by and publishing a post-mortem later.

In the meantime, several thousand open source projects have been repaired, and I'm sleeping fine tonight.

@seldo it wasn't your place to take another developers code and 'un-unpublish' it.

@seldo @npmjs Is that really your choice to make?

@JakeDChampion The package name was adopted by @camwest, who asked us to do this, but we acknowledge it's a very grey area.

@DaleJefferson it is immutable with the exception of being able to unpublish stuff, and up until now that's always been useful.

@seldo @DaleJefferson Unpublish is especially useful for "Holy shit I pushed a giant security hole, nobody use version <blah>!" situations.

A bit late, but maybe a good thing would be to add a timeframe in which you can unpublish? 24 hours?

@seldo seems the unpublishing thing is a major security risk? Should unpublishing not be allowed after some period of time?

@miranext we're (re)considering our policy carefully.

.@seldo Is that even legal to steal and publicly post the source code that the author has expressly forbid? Does theTOS grant npm * rights?

@ShaneX the code was released under the extremely liberal "WTFPL" license. The replacement module was published by a different npm user.