Bug in NPM version - blacklist the patch version

Question

Say we publish an NPM package that ends up having a bug say it is version 1.0.056.

is there a way to tell NPM to blacklist it, meaning if users have this in package.json:

^1.0.05

that it would endeavor to only install 1.0.057 or 1.0.055?

The idea is when you patch the bug, if it doesn't impact any of the exposed API, then not much reason to make a big semver change? Or maybe on the other hand an important bugfix should call for a minor version change?

Obviously NPM doesn't encourage people to delete packages, we want immutability, but unless a user explicitly requests that version, I want NPM to avoid installing it at all costs?

Answer 1

npm deprecate covers a historical version when you discover problem later:

npm deprecate <pkg>[@<version>] <message>

This command will update the npm registry entry for a package, providing a deprecation warning to all who attempt to install it.

---

If it was only just published (72 hours) then there is also:

npm unpublish [<@scope>/]<pkg>[@<version>]

This removes a package version from the registry, deleting its entry and removing the tarball.

• https://www.npmjs.com/policies/unpublish
• https://docs.npmjs.com/cli/unpublish