npm prevents unpublishing packages published more than 72 hours ago unless specific criteria are met. This policy exists to maintain Node.js ecosystem stability and prevent breaking changes that could impact thousands of dependent projects.
npm prevents unpublishing packages published more than 72 hours ago unless specific criteria are met. The E405 error occurs when you attempt to unpublish a package that exceeds this window or fails to meet npm's ecosystem-protection requirements. This policy exists to maintain Node.js ecosystem stability and prevent breaking changes that could impact thousands of dependent projects. It was implemented following the infamous "left-pad" incident (2016), where unpublishing a widely-used utility package broke thousands of JavaScript projects ecosystem-wide. After 72 hours, you can only unpublish if your package has: - Zero dependent packages in npm registry - Fewer than 300 downloads in the past week - A single owner/maintainer
Verify if your package qualifies for unpublishing after 72 hours:
- Has zero dependent packages in npm registry
- Has fewer than 300 downloads in the past week
- Has a single owner/maintainer
Check dependencies using npm's package page: https://npmjs.com/package/{your-package}
If your package doesn't meet unpublish criteria, deprecate it instead:
# Deprecate entire package
npm deprecate your-package "This package is deprecated. Please use alternative-package instead."
# Deprecate specific version
npm deprecate [email protected] "Version 1.0.0 has security vulnerabilities. Please upgrade."
# Undeprecate (remove deprecation)
npm deprecate your-package ""Deprecation warns users during install and removes the package from search results without breaking existing installations.
If you're within 72 hours of publishing and have no dependents:
npm unpublish your-package --force
# or unpublish specific version
npm unpublish [email protected] --forceNote: Once unpublished, you cannot reuse that version number. You must publish a new version if republishing.
If your package meets unpublish criteria but the command still fails:
1. Visit npm support: https://support.npmjs.com
2. Submit a request explaining your situation
3. Include evidence that your package meets criteria
4. Wait for npm support team response
Manual review is available for edge cases like security vulnerabilities or account compromises.
If you no longer maintain a package but others depend on it:
npm owner add npm your-package
npm owner rm your-username your-packageThis transfers ownership to npm's official account. After transfer, you cannot update the package, but it remains available and safe in the registry.
The left-pad incident: In 2016, a developer unpublished his popular "left-pad" package (11 lines of code), breaking thousands of projects including major frameworks. This incident prompted npm to implement strict unpublish policies.
Version immutability: Package versions are immutable once published—even if unpublished, that version number can never be reused.
24-hour republish moratorium: Unpublishing all versions of a package triggers a 24-hour period where you cannot republish under that name.
Deprecation vs unpublish: Deprecation is superior for most scenarios because it provides user warning, maintains ecosystem continuity, and allows gradual migration.
npm ERR! code ENOAUDIT npm ERR! Audit endpoint not supported
How to fix "npm ERR! code ENOAUDIT - Audit endpoint not supported"
npm ERR! code EBADDEVENGINES npm ERR! devEngines.runtime incompatible with current node version
How to fix "npm ERR! code EBADDEVENGINES - devEngines.runtime incompatible with current node version"
npm ERR! code ETOOMANYARGS npm ERR! Too many arguments
How to fix "npm ERR! code ETOOMANYARGS - Too many arguments"
npm ERR! code EINVALIDTAGNAME npm ERR! Invalid tag name: tag names cannot contain spaces
How to fix "npm ERR! code EINVALIDTAGNAME - tag names cannot contain spaces"
npm ERR! code E400 npm ERR! 400 Bad Request
How to fix "npm ERR! code E400 - 400 Bad Request" error