The obvious solution is that unpublish should be available within a time window after a new version is published and then unavailable after that.
The obvious solution is that unpublish should be available within a time window after a new version is published and then unavailable after that.
There is a time window - https://docs.npmjs.com/policies/unpublish
Yes but they didn't do it properly. They only allow unpublishing if there are no dependants, which means it can't be used to pull a package version for security reasons.
It should be that within the first X hours you can pull a version regardless of dependants, after that you should need approval.