Pinning to a specific version doesn't protect against the author unpublishing th... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

chatmasta on Jan 7, 2024 | parent | context | favorite | on: The Everything NPM Package

Pinning to a specific version doesn't protect against the author unpublishing that version.

The problem with the `*` bug is that it means you can stop anyone from unpublishing future versions of their package by simply creating a package that depends on it with a `*` identifier and publishing that to the registry.

nosefurhairdo on Jan 7, 2024 [–]

> Pinning to a specific version doesn't protect against the author unpublishing that version.

It does if your project is also in the npm public registry and the package you're dependent on is more than 72 hours old.

https://docs.npmjs.com/policies/unpublish

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact