Cli: [BUG] npm unpublish returns error 404 and not error printed unless verbose loglevel is used

Created on 29 Jun 2020  ·  14Comments  ·  Source: npm/cli

What / Why

npm unpublish does not work, and does not show any error even though the registry answers with a code 404.

When

npm unpublish @siliceum/[email protected] --loglevel verbose

Where

npm public registry

How

Current Behavior

The command line only prints

while the server answers with an error 404.

Also, the endpoint https://registry.npmjs.org/@siliceum%2fcalcite-cli returns information but the version with ?write=true (https://registry.npmjs.org/@siliceum%2fcalcite-cli?write=true) returns an error 404 not found.

Steps to Reproduce

npm unpublish @siliceum/[email protected]

Expected Behavior

The package is either unpublished or an error is printed. (ultimately, something else than a 404).
With the verbose loglevel it is possible to have the following output

npm unpublish @siliceum/[email protected] --loglevel verbose

npm info it worked if it ends with ok
npm verb cli [
npm verb cli 'C:\Program Files\nodejs\node.exe',
npm verb cli 'C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js',
npm verb cli 'unpublish',
npm verb cli '@siliceum/[email protected]',
npm verb cli '--loglevel',
npm verb cli 'verbose'
npm verb cli ]
npm info using [email protected]
npm info using [email protected]
npm verb npm-session e43c8f8257e968e5
npm http fetch GET 404 https://registry.npmjs.org/@siliceum%2fcalcite-cli?write=true 492ms

  • @siliceum/[email protected]
    npm verb exit [ 0, true ]
    npm timing npm Completed in 1157ms
    npm info ok
Bug
Source
picture Lectem
👍4

Most helpful comment

Oops! Nevermind that, I just logged out and logged back in and now both functions work, weird, sorry for the confusion!

picture luawtf on 5 Aug 2020
👍2 🚀1 😄1

All 14 comments

Also having this problem with both npm unpublish and npm deprecate!

$ npm deprecate --force --verbose [email protected] "Generates errors related to exports in the browser, use 1.2.2 or newer"
...
npm http fetch GET 200 https://registry.npmjs.org/luar?write=true 328ms
npm http fetch PUT 404 https://registry.npmjs.org/luar 98ms
npm verb stack Error: 404 Not Found - PUT https://registry.npmjs.org/luar - Not found
npm verb stack     at /usr/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:114:15
npm verb stack     at processTicksAndRejections (internal/process/task_queues.js:93:5)
npm verb statusCode 404
npm verb pkgid [email protected]
...
npm ERR! code E404
npm ERR! 404 Not Found - PUT https://registry.npmjs.org/luar - Not found
npm ERR! 404 
npm ERR! 404  '[email protected]' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
...
$ npm unpublish --force --verbose [email protected]
...
npm http fetch GET 200 https://registry.npmjs.org/luar?write=true 257ms
npm http fetch PUT 404 https://registry.npmjs.org/luar/-rev/5-260b27ca1cdb4a5d3b4175578e1c0300 99ms
npm verb stack Error: 404 Not Found - PUT https://registry.npmjs.org/luar/-rev/5-260b27ca1cdb4a5d3b4175578e1c0300 - Not found
npm verb stack     at /usr/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:114:15
npm verb stack     at processTicksAndRejections (internal/process/task_queues.js:93:5)
npm verb statusCode 404
npm verb pkgid [email protected]
...
npm ERR! code E404
npm ERR! 404 Not Found - PUT https://registry.npmjs.org/luar/-rev/5-260b27ca1cdb4a5d3b4175578e1c0300 - Not found
npm ERR! 404 
npm ERR! 404  '[email protected]' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
...
luawtf picture luawtf on 2 Aug 2020
👍2

Having the same issue when running npm deprecate - getting back a 404 Not Found. The cause was because I wasn't authenticated correctly (npm adduser sorted it out) - but the Not Found output leads you off on tangents. Even if there's no possibility for the server API to return a different status code (such as a 401), some output from these commands to suggest logging in would be good. The output could be generic and always shown ("make sure you're logged in!") or could be shown if you don't have an authToken present.

davidjb picture davidjb on 4 Aug 2020
👍1

But I am logged in! This is in the exact same terminal session where I just published a new version as the owner of the package

luawtf picture luawtf on 5 Aug 2020
👀1

Oops! Nevermind that, I just logged out and logged back in and now both functions work, weird, sorry for the confusion!

luawtf picture luawtf on 5 Aug 2020
👍2 🚀1 😄1

@luawtf Ah, in that case, it sounds like this is the same situation as mine -- these commands displaying 404 Not Found when the actual issue is authentication-related.

davidjb picture davidjb on 5 Aug 2020
👍1

Yep! I agree that a more general and verbose error would be great.
Also, why does the registry return a 404 when a 401 Unauthorized would make more sense, shouldn't that also be fixed?

luawtf picture luawtf on 5 Aug 2020
👍1

Agreed. Seems odd for packages that are already public -- there's nothing to be gained security-wise by returning a 404 rather than 401 in this case. It would make sense if a package was private, much like how GitHub shows a 404 if you try and access a private repo when logged out so as to not give away the fact there's anything at all at that URL.

davidjb picture davidjb on 5 Aug 2020
👍2

I can confirm the issue was that I was not logged in.
Returning a 401 or having a message warning about not being logged in both sound good to me.

Lectem picture Lectem on 5 Aug 2020

we ran into this with a public package as well. npm unpublish @scope/package@version --verbose shows a 404, but otherwise the unpublish appears to be successful

humanchimp picture humanchimp on 9 Sep 2020

I have the same problem, being unable to deprecate a package of mine. I assumed it had something to do with the package being scoped, since I noticed that the slash in the package name is shown as %2f in the URL, but I really don't understand what's going on.

$ node -v
v14.15.0
$ npm -v
6.14.8
$ npm deprecate @alling/foo-bar "This package should not be used."
npm ERR! code E404
npm ERR! 404 Not Found - PUT https://registry.npmjs.org/@alling%2ffoo-bar - Not found
npm ERR! 404 
npm ERR! 404  '@alling/foo-bar@latest' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
SimonAlling picture SimonAlling on 15 Nov 2020

@SimonAlling what happens with npm v7.0.11?

ljharb picture ljharb on 15 Nov 2020

@SimonAlling what happens with npm v7.0.11?

$ docker run -it node bash
# npm -v
7.0.8
# npm login
Logged in as alling on https://registry.npmjs.org/.
npm notice 
npm notice New patch version of npm available! 7.0.8 -> 7.0.11
npm notice Changelog: https://github.com/npm/cli/releases/tag/v7.0.11
npm notice Run npm install -g [email protected] to update!
npm notice 
# npm deprecate nonexisting-package-asdfasdf LOL
npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/nonexisting-package-asdfasdf?write=true
npm ERR! 404 
npm ERR! 404  'nonexisting-package-asdfasdf@latest' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
# npm deprecate @alling/foo-bar "This package should not be used."

No error or other output, but no deprecation message showed up on the package page (i.e. https://www.npmjs.com/package/@alling/foo-bar), even after like half an hour, so I tried running the command again:

# npm deprecate @alling/foo-bar "This package should not be used."
npm ERR! code E422
npm ERR! 422 Unprocessable Entity - PUT https://registry.npmjs.org/@alling%2ffoo-bar - Unprocessable Entity

However, if I go to a specific version of the package (e.g. https://www.npmjs.com/package/@alling/foo-bar/v/1.1.6), I see the expected deprecation message*. But I want it to show up on the main package page as well (like e.g. urix).

* Latest version: _This package has been deprecated_. Any other version: _This version has been deprecated_.

EDIT: The deprecation message finally showed up on the main package page.

SimonAlling picture SimonAlling on 17 Nov 2020

That’s using npm v7.0.8; can you npm install -g npm@7 before running the deprecate command?

ljharb picture ljharb on 17 Nov 2020

The deprecation message finally appeared on the main package page, so I believe it works with npm v7.0.8. :slightly_smiling_face:

SimonAlling picture SimonAlling on 17 Nov 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

1000i100 picture 1000i100  ·  3Comments
chrisspen picture chrisspen  ·  3Comments
dr-js picture dr-js  ·  3Comments
millerick picture millerick  ·  3Comments
Cohen-Carlisle picture Cohen-Carlisle  ·  4Comments