I do not envy the position the npm team are in. They removed the ability to unpublish packages as a response to the left-pad incident[1] because it wasn't desirable for individual developers to break downstream dependencies by pulling their package maliciously.
Of course the side effect is that now it's much harder to pull packages for legitimate reasons :/
Maybe give publishers a way to quarantine versions with a warning that stops the install, but allows users can override if they choose to is the next step?
Give a publisher a way to tag a version as malicious and then in those hours between the exploit being noticed and the package being removed anyone who tries to install gets a message about that version being quarantined and asking whether they want to proceed.
It's not a perfect solution, but I think it's better than just waiting for NPM to take action without opening the door up to another left pad situation.
I think cargo's yank is a good balance. It makes it difficult to pull the yanked version in as a dependency, but doesn't break existing usages, as long as the version is in the lockfile. And I think even then gives you a warning that you are using a yanked package.
The obvious solution is that unpublish should be available within a time window after a new version is published and then unavailable after that.
There is a time window - https://docs.npmjs.com/policies/unpublish
Yes but they didn't do it properly. They only allow unpublishing if there are no dependants, which means it can't be used to pull a package version for security reasons.
It should be that within the first X hours you can pull a version regardless of dependants, after that you should need approval.
I would prefer my builds to break than the ecosystem to be compromised.
That said, once unpublished the version should be permanently unavailable to prevent publishing over known good versions.
I mean they brought that incident on themselves...