`npm unpublish -f` give strange unhelpful console outputs

@papb wrote:

Note: sorry for not following the issue template, it was bothering me, I will go right to the point.

Summary

I wanted to unpublish my entire package, which I created just for testing purposes. I executed npm unpublish -f from the folder containing my package.json, thinking that npm would infer the package name from it. I expected it to simply work. But NPM goes crazy.

Reproduction Steps

Note: I used quick-test-unpublish-querty as a package name, but to reproduce you will have to use a different one I guess, since now this name is taken.

• Step 1. mkdir quick-test-unpublish-querty && cd quick-test-unpublish-querty
• Step 2. npm init -y
• Step 3. Create a dummy README.md just in case
• Step 4. npm publish
• Step 5. Check that it is really published, ok
• Step 6. npm unpublish -f - observe the following unhelpful output:

npm WARN using --force I sure hope you know what you are doing.
-undefined

• Step 7. Run it a second time npm unpublish -f: observe the weirdest output:

npm WARN using --force I sure hope you know what you are doing.
npm ERR! code E403
npm ERR! 403 Forbidden - DELETE https://registry.npmjs.org/quick-test-unpublish-querty/-rev/1-0526bac33a57c4e587540f30f3e8efad - You do not have permission to publish "quick-test-unpublish-querty". Are you logged in as the correct user?

• Step 8. Astonishingly observe that the package was actually unpublished somehow.

Suggestions

While we’re at it, calling npm unpublish -f from a folder which does not have a package.json gives a sligthly better error message but it could still be improved:

$ npm unpublish -f
npm WARN using --force I sure hope you know what you are doing.
npm ERR! Usage: undefined

I think a better error message such as Missing package name or something would be better.

I would also like to suggest that calling npm unpublish -f should never work. Even when inside the package folder, I think it would be safer to require the package name regardless. This could work as a safety measure, just like when we want to delete a repository on GitHub and we have to type its name (to make sure we’re not deleting the wrong thing)!

Platform Info

$ npm --versions
{ npm: '6.8.0',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.15.0',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '6.8.275.32-node.45',
  zlib: '1.2.11' }
$ node -p process.platform
win32

Posts: 4

Participants: 2

Read full topic