Secure npm unpublish.
Due to recent accident, npm will need to change the unpublishing policy.
Here is my suggestion of how to proceed:
- Once author unpublished his package, npm should mark it as deprecated.
- Deprecated packages should remain available for a while.
- When npm installs a deprecated package, warning should be displayed.
- Warn about deprecation on the npm’s package page and on every page of its dependents.
- Email dependents if they don’t remove that dependency after a while.
- After a while or when all dependents removed deprecated package, remove the package and replace it by a placeholder.