npm prevents unpublishing packages published more than 72 hours ago unless specific criteria are met. This policy exists to maintain Node.js ecosystem stability and prevent breaking changes that could impact thousands of dependent projects.
npm prevents unpublishing packages published more than 72 hours ago unless specific criteria are met. The E405 error occurs when you attempt to unpublish a package that exceeds this window or fails to meet npm's ecosystem-protection requirements. This policy exists to maintain Node.js ecosystem stability and prevent breaking changes that could impact thousands of dependent projects. It was implemented following the infamous "left-pad" incident (2016), where unpublishing a widely-used utility package broke thousands of JavaScript projects ecosystem-wide. After 72 hours, you can only unpublish if your package has: - Zero dependent packages in npm registry - Fewer than 300 downloads in the past week - A single owner/maintainer
Verify if your package qualifies for unpublishing after 72 hours:
- Has zero dependent packages in npm registry
- Has fewer than 300 downloads in the past week
- Has a single owner/maintainer
Check dependencies using npm's package page: https://npmjs.com/package/{your-package}
If your package doesn't meet unpublish criteria, deprecate it instead:
# Deprecate entire package
npm deprecate your-package "This package is deprecated. Please use alternative-package instead."
# Deprecate specific version
npm deprecate [email protected] "Version 1.0.0 has security vulnerabilities. Please upgrade."
# Undeprecate (remove deprecation)
npm deprecate your-package ""Deprecation warns users during install and removes the package from search results without breaking existing installations.
If you're within 72 hours of publishing and have no dependents:
npm unpublish your-package --force
# or unpublish specific version
npm unpublish [email protected] --forceNote: Once unpublished, you cannot reuse that version number. You must publish a new version if republishing.
If your package meets unpublish criteria but the command still fails:
1. Visit npm support: https://support.npmjs.com
2. Submit a request explaining your situation
3. Include evidence that your package meets criteria
4. Wait for npm support team response
Manual review is available for edge cases like security vulnerabilities or account compromises.
If you no longer maintain a package but others depend on it:
npm owner add npm your-package
npm owner rm your-username your-packageThis transfers ownership to npm's official account. After transfer, you cannot update the package, but it remains available and safe in the registry.
The left-pad incident: In 2016, a developer unpublished his popular "left-pad" package (11 lines of code), breaking thousands of projects including major frameworks. This incident prompted npm to implement strict unpublish policies.
Version immutability: Package versions are immutable once published—even if unpublished, that version number can never be reused.
24-hour republish moratorium: Unpublishing all versions of a package triggers a 24-hour period where you cannot republish under that name.
Deprecation vs unpublish: Deprecation is superior for most scenarios because it provides user warning, maintains ecosystem continuity, and allows gradual migration.
npm notice access token expired or revoked. Please try logging in again.
Token has expired - npm authentication failure
npm ERR! code EAI_AGAIN
How to fix "EAI_AGAIN" in npm
npm error code E403 npm error 403 Forbidden - PUT https://registry.npmjs.org/<package>
How to fix 'E403 Forbidden' error in npm
npm ERR! code EUSAGE npm ERR! Usage error
How to fix "npm ERR! code EUSAGE" in Node.js projects
npm ERR! code E401 npm ERR! 401 Unauthorized
How to fix "E401 Unauthorized" in npm