Secure npm unpublish.

Due to recent accident, npm will need to change the unpublishing policy.

Here is my suggestion of how to proceed:

  1. Once author unpublished his package, npm should mark it as deprecated.
  2. Deprecated packages should remain available for a while.
  3. When npm installs a deprecated package, warning should be displayed.
  4. Warn about deprecation on the npm’s package page and on every page of its dependents.
  5. Email dependents if they don’t remove that dependency after a while.
  6. After a while or when all dependents removed deprecated package, remove the package and replace it by a placeholder.