I read npm's documentation for npm unpublish but I find it confusing that unpublished versions still show up under a module's versions history/tab.
What is the practical impact of unpublishing a version?
Is it normal that unpublished versions still show up in a module's versions tab?
How do I retrieve the list of active (not unpublished) versions associated with a module?
What happens if users try to install an unpublished version?
I assume that users who have cached an unpublished version locally won't be blocked from installing it. Is that correct?
Related
I'm responsible for maintaining a bunch of npm packages. Specifically, I am a maintainer of Apollo Server. Our latest major version combines over a dozen apollo-server-* packages into a single #apollo/server package.
We are going to use npm deprecate to mark the old packages as deprecated to help people find the new one. But I'm running into a bit of a pickle.
If my testing is correct, npm deprecate PACKAGENAME is actually equivalent to "individually mark all current versions of PACKAGENAME as deprecated". But if we then go ahead and publish another version of the package later, the new version appears to not be deprecated.
While we want people to upgrade to the new package, we still may publish some versions of the old package, for security fixes and the like. And unfortunately that will often mean publishing over a dozen separate packages.
So if I'm not confused, this will mean we have to re-run npm deprecate after any publish, or else the package will effectively end up non-deprecated?
So my next thought was to do the deprecation in a shell script, to either be run in CI post-publish or manually by a developer. But unless my testing was incorrect, it does not look like you can use NPM_TOKEN=xxx npm deprecate at all (whether it's an automation token or a publish token): I get an error that the package does not exist. So the script will have to be run manually... and will require me to enter dozens of OTPs.
So my question is: if I have a project that consists of dozens of packages that I want to keep deprecated even if I publish patches in the future, do I really need to maintain a shell script that runs npm deprecate dozens of times and requires me to manually enter dozens of OTPs? Or is there an easier way?
I have a Gatsby starter (taylorbryant/gatsby-starter-tailwind) that uses gatsby-plugin-postcss which is not compatible with the version of gatsby installed in my machine like a few other plugins used in the starter. You can see the warning I get when trying to build for production.
warn Plugin gatsby-plugin-postcss is not compatible with your gatsby version 3.14.2 - It requires gatsby#^2.0.0
How can I downgrade Gatsby to a specific version, maybe just locally?
This isn't too difficult.
Open your package.json file and change the actual version you want to use.
Then run npm update to make sure you update all the packages to the right version.
Please correct me if I'm wrong but I believe that is the way to change the Gatsby version.
Please do keep in mind that this is most probably cause a bunch of other discrepancies with other packages that actually require a higher version in order to work.
You can find more information about how different versions work here: https://www.gatsbyjs.com/docs/reference/release-notes/migrating-from-v2-to-v3/
Best of luck!
I'm using the semantic-release package which runs on my CI to release my library onto npm through my Github repo.
Recently, I have a breaking change that I have forgotten to add the breaking change text into my commit message before merging. So semantic-release made a minor release and published it onto npm instead of a major release.
Can I simply remove the wrong release created by semantic-release on Github to unpublish it?
How can I undo and unpublish the wrong minor release on Github and npm, and get semantic-release to re-release the recent commit I've made as a major release without messing up my repo?
You will have to remove everything manually.
Please note, once an NPM package has been published to the default npm registry, it can be unpublished within 24 hours (I may be off), but there is a catch, trying to publish the same version again will not work, the registry will block you.
So in case you remove the Git tag created by semantic-release, and the next version is the same as the unpublished one, you're in trouble.
I can also recommend using an alternative to semantic-release
called atomic-release.
It's an SDK with a strategy to release NPM packages (kind of like semantic-release). Check it out GithubNpmPackageStrategy
Disclaimer: I'm the author of atomic-release.
I know there's a public API for getting NPM download counts, as well as tools built on top of it like npm-stat and npmtrends. However, I'd like to get more granular and see downloads for a particular package by version. I don't see this documented in the API docs anywhere. Is it possible?
Per version download counts are now available from the npm registry.
Download count for specific versions of a package are only available for the previous 7 days. They have a unique API end point
GET https://api.npmjs.org/versions/{package}/last-week
Note: for scoped packages, the / needs to be percent encoded. (#slack/client -> #slack%2Fclient).
They're also displayed in the Versions tab of the package's home page.
After updating my NPM to the latest version (from 3.X to 5.2.0) and running npm install on an existing project, I get an auto-created package-lock.json file.
I can tell package-lock.json gives me an exact dependency tree as opposed to package.json.
From that info alone, it seems like package.json is redundant and not needed anymore.
Are both of them necessary for NPM to work?
Is it safe or possible to use only the package-lock.json file?
The docs on package-lock.json (doc1, doc2) doesn't mention anything about that.
Edit:
After some more thinking about it, I came to the conclusion that if someone wants to use your project with an older version of NPM (before 5.x) it would still install all of the dependencies, but with less accurate versions (patch versions)
Do you need both package-lock.json and package.json? No.
Do you need the package.json? Yes.
Can you have a project with only the package-lock.json? No.
The package.json is used for more than dependencies - like defining project properties, description, author & license information, scripts, etc. The package-lock.json is solely used to lock dependencies to a specific version number.
package-lock.json: records the exact version of each installed package which allows you to re-install them. Future installs will be able to build an identical dependency tree.
package.json: records the minimum version you app needs. If you update the versions of a particular package, the change is not going to be reflected here.
If your question is if lock file should be committed to your source control - it should. It will be ignored under certain circumstance.
I found it bloating pull requests and commit history, so if you see it change, do a separate commit for it.