How to Unpublish an npm Package? Please Help!

[polarrwl2023]

Select Topic Area

Question

Body

I need to urgently unpublish an npm package that was published approximately one week ago (so it's well past the 72-hour window). Due to the sensitivity of the situation, I'd prefer not to disclose the package name publicly here.

Could someone please advise on the correct procedure for unpublishing a package in this case?

[lahiruchinthana]

If the package was published more than 72 hours ago, you won’t be able to fully unpublish it yourself due to npm’s unpublish policy. After that only the npm support team can intervene.

• Open a support ticket with npm → Go to https://www.npmjs.com/support

• Choose “Report a security vulnerability” or “Unpublish request (after 72 hours)” — depending on what best matches your case.

• Explain clearly why you need it removed, and include:

The package name (you can give this privately in the support form)
Approximate publish date
The reason for unpublishing (e.g., sensitive data exposure, legal or security issue)

npm Support will review your case and can either unpublish it or transfer it to a private package if full removal isn’t possible.

[polarrwl2023]

Thank you very much for your response.

Now, I've visited the website. To confirm, is selecting and submitting the form as shown in the screenshot above the correct process? and then post the message explan what the package(s) I wish to delete and the delete reason?

[VIDAKHOSHPEY22]

Yep thats exactly it
Since its past the 72 hour window you cant unpublish the package yourself submitting the form is the right way now
Just make sure to pick the correct option unpublish request after 72 hours or report a security vulnerability and explain clearly

• the package name privately in the form
• approximate publish date
• why you need it removed
  npm will review it and either unpublish it or help make it private if full removal isnt possible
  Thats all you need to do giving clear info usually gets a faster response🙏🏻

[lahiruchinthana]

1. First you should check if it meets npm’s unpublish criteria

You can still unpublish after 72 hours if all of these conditions are true:
• No other public npm packages depend on it
• It has had fewer than 300 downloads in the past week
• It has a single maintainer/owner

If your package meets all of these conditions, you can unpublish it using:

npm unpublish <package-name> --force

or for a specific version:

npm unpublish <package-name>@<version>

2. If it does not meet the criteria

You’ll need to deprecate the package instead. This is the recommended and safer approach, as it doesn’t break existing installs but warns users not to use it:

npm deprecate <package-name> "<message>"

For example:

npm deprecate my-package "This package has been deprecated due to sensitive content. Please stop using it."

This message will appear:
• On the npm package page
• As a warning when users install the package

3. If above mentions not working get a support.

• “How can we help?”

Choose:
➡️ “I’m reporting spam, abuse or a security issue.”

• My Security Issue:
  ➡️ I am reporting spam or abuse in a package on npmjs.com

Do NOT include “I am reporting malware in a package” — unless your package actually contains malware. That category is for malicious package reports, not mistaken or sensitive publications.

Smaple Message -

`Hello npm Support Team,

I need to urgently unpublish a package that I published approximately one week ago.

Package name: [your_package_name]
Reason: Sensitive/private content was accidentally included in the published code.

Since the 72-hour window has passed, I understand that I cannot unpublish this myself.
Please assist in removing the package from the public registry as soon as possible.

Thank you for your help,
[Your Name]
[Your npm username / email] `

[polarrwl2023]

I found a workaround: while you can't run npm unpublish --force to delete the entire package, you can unpublish a specific version using npm unpublish <package-name>@<version>. However, npm requires you to keep the latest version. So I just need to clear the content of that version. Even if someone installs my package, they won't see the actual content.

[lahiruchinthana]

Yep. follow the doc - https://docs.npmjs.com/policies/unpublish

[MOHAMED-LAAGUILI]

1. You cannot unpublish directly after 72 hours

The command below will fail if the package is older than 72 hours:

npm unpublish <package-name> --force

npm enforces this limit for stability reasons.

📨 2. Contact npm Support (the correct path)

You’ll need to open a private support ticket with npm to request package removal.

Go to:
🔗 https://www.npmjs.com/support

Then:

Log in with the account that owns the package.

Choose “Package Takedown Request”.

Include:

The exact package name.

The reason for removal (e.g. sensitive data, security issue, accidental publication).

A confirmation that you are the package owner or maintainer.

npm’s support team will review and manually process your request.

⚙️ 3. Alternative (Recommended by npm)

If you just want to prevent further installs but keep the version history intact:

npm deprecate <package-name>@<version> "This package is deprecated and should not be used."

This is ideal if the issue isn’t legal or security-critical — it preserves stability for others who might depend on it.

[polarrwl2023]

npmjs.com/support do not have "Package Takedown Request" selection，Is is a "AI" answer？

[MOHAMED-LAAGUILI]

yes

[MOHAMED-LAAGUILI]

choose one of these categories to continue.

Dispute a package, org, or username