Protection Coverage
npm / yarn / pnpm
Protection patterns for npm, yarn, and pnpm package manager operations
The npm check group covers destructive package manager operations that can break downstream dependents.
npm checks
Unpublish (npm)
| ID | npm:unpublish |
| Severity | Critical |
Unpublishing a package removes it from the registry, breaking every project that depends on it. The left-pad incident proved how devastating this can be.
# Triggers
npm unpublish
npm unpublish my-package
npm unpublish my-package@1.0.0
npm unpublish --force
# Does NOT trigger
npm publish
npm install
npm listDeprecate (npm)
| ID | npm:deprecate |
| Severity | High |
Marks a package as deprecated for all users, showing a warning on every install.
# Triggers
npm deprecate my-package "this package is deprecated"
npm deprecate my-package@1.x "use v2 instead"
# Does NOT trigger
npm info my-packageUnpublish (yarn)
| ID | npm:yarn_unpublish |
| Severity | Critical |
# Triggers
yarn npm unpublish
yarn npm unpublish my-package
yarn npm unpublish my-package --force
# Does NOT trigger
yarn npm publish
yarn installUnpublish (pnpm)
| ID | npm:pnpm_unpublish |
| Severity | Critical |
# Triggers
pnpm unpublish
pnpm unpublish my-package
pnpm unpublish my-package@1.0.0 --force
# Does NOT trigger
pnpm publish
pnpm installSummary table
| ID | Command | Severity |
|---|---|---|
npm:unpublish | npm unpublish | Critical |
npm:deprecate | npm deprecate | High |
npm:yarn_unpublish | yarn npm unpublish | Critical |
npm:pnpm_unpublish | pnpm unpublish | Critical |