Security News > 2024 > January > 'everything' blocks devs from removing their own npm packages
Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of npm's policy.
Everything prevents you from unpublishing your packages.
Installing everything could have just caused your computer to potentially fall short of storage space and slow down, but the package's mere existence on npmjs.com prevents authors-unrelated to this package whatsoever, from unpublishing their packages from the world's largest JavaScript software registry.
"Imagine you did an experiment, published a package to NPM and now you want to remove your NPM package. You can't do it if other packages are using it," writes Jossef Harush, Head of Software Supply Chain Security at Checkmarx on the company's blog.
Following a 2016 incident though, that entailed left-pad's author removing his npm package in protest, and breaking a large part of the internet, npm made it more difficult for authors to unpublish packages.
One such policy change involved allowing authors to unpublish packages only if no other package on the npm registry is dependent on it.