[BUG] npm unpublish returns error 404 and not error printed unless verbose loglevel is used

[Lectem]

What / Why

npm unpublish does not work, and does not show any error even though the registry answers with a code 404.

When

npm unpublish @siliceum/calcite-cli@0.1.0 --loglevel verbose

Where

npm public registry

How

Current Behavior

The command line only prints

• @siliceum/calcite-cli@0.1.0

while the server answers with an error 404.

Also, the endpoint https://registry.npmjs.org/@siliceum%2fcalcite-cli returns information but the version with ?write=true (https://registry.npmjs.org/@siliceum%2fcalcite-cli?write=true) returns an error 404 not found.

Steps to Reproduce

npm unpublish @siliceum/calcite-cli@0.1.0

Expected Behavior

The package is either unpublished or an error is printed. (ultimately, something else than a 404).
With the verbose loglevel it is possible to have the following output

npm unpublish @siliceum/calcite-cli@0.1.0 --loglevel verbose

npm info it worked if it ends with ok
npm verb cli [
npm verb cli 'C:\Program Files\nodejs\node.exe',
npm verb cli 'C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js',
npm verb cli 'unpublish',
npm verb cli '@siliceum/calcite-cli@0.1.0',
npm verb cli '--loglevel',
npm verb cli 'verbose'
npm verb cli ]
npm info using npm@6.12.1
npm info using node@v12.13.1
npm verb npm-session e43c8f8257e968e5
npm http fetch GET 404 https://registry.npmjs.org/@siliceum%2fcalcite-cli?write=true 492ms

• @siliceum/calcite-cli@0.1.0
  npm verb exit [ 0, true ]
  npm timing npm Completed in 1157ms
  npm info ok

[luavixen]

Also having this problem with both npm unpublish and npm deprecate!

$ npm deprecate --force --verbose luar@1.2.1 "Generates errors related to exports in the browser, use 1.2.2 or newer"
...
npm http fetch GET 200 https://registry.npmjs.org/luar?write=true 328ms
npm http fetch PUT 404 https://registry.npmjs.org/luar 98ms
npm verb stack Error: 404 Not Found - PUT https://registry.npmjs.org/luar - Not found
npm verb stack     at /usr/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:114:15
npm verb stack     at processTicksAndRejections (internal/process/task_queues.js:93:5)
npm verb statusCode 404
npm verb pkgid luar@1.2.1
...
npm ERR! code E404
npm ERR! 404 Not Found - PUT https://registry.npmjs.org/luar - Not found
npm ERR! 404 
npm ERR! 404  'luar@1.2.1' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
...
$ npm unpublish --force --verbose luar@1.2.1
...
npm http fetch GET 200 https://registry.npmjs.org/luar?write=true 257ms
npm http fetch PUT 404 https://registry.npmjs.org/luar/-rev/5-260b27ca1cdb4a5d3b4175578e1c0300 99ms
npm verb stack Error: 404 Not Found - PUT https://registry.npmjs.org/luar/-rev/5-260b27ca1cdb4a5d3b4175578e1c0300 - Not found
npm verb stack     at /usr/lib/node_modules/npm/node_modules/npm-registry-fetch/check-response.js:114:15
npm verb stack     at processTicksAndRejections (internal/process/task_queues.js:93:5)
npm verb statusCode 404
npm verb pkgid luar@1.2.1
...
npm ERR! code E404
npm ERR! 404 Not Found - PUT https://registry.npmjs.org/luar/-rev/5-260b27ca1cdb4a5d3b4175578e1c0300 - Not found
npm ERR! 404 
npm ERR! 404  'luar@1.2.1' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
...

[davidjb]

Having the same issue when running npm deprecate - getting back a 404 Not Found. The cause was because I wasn't authenticated correctly (npm adduser sorted it out) - but the Not Found output leads you off on tangents. Even if there's no possibility for the server API to return a different status code (such as a 401), some output from these commands to suggest logging in would be good. The output could be generic and always shown ("make sure you're logged in!") or could be shown if you don't have an authToken present.

[luavixen]

But I am logged in! This is in the exact same terminal session where I just published a new version as the owner of the package

[luavixen]

Oops! Nevermind that, I just logged out and logged back in and now both functions work, weird, sorry for the confusion!

[davidjb]

@luawtf Ah, in that case, it sounds like this is the same situation as mine -- these commands displaying 404 Not Found when the actual issue is authentication-related.

[luavixen]

Yep! I agree that a more general and verbose error would be great.
Also, why does the registry return a 404 when a 401 Unauthorized would make more sense, shouldn't that also be fixed?

[davidjb]

Agreed. Seems odd for packages that are already public -- there's nothing to be gained security-wise by returning a 404 rather than 401 in this case. It would make sense if a package was private, much like how GitHub shows a 404 if you try and access a private repo when logged out so as to not give away the fact there's anything at all at that URL.

[Lectem]

I can confirm the issue was that I was not logged in.
Returning a 401 or having a message warning about not being logged in both sound good to me.

[humanchimp]

we ran into this with a public package as well. npm unpublish @scope/package@version --verbose shows a 404, but otherwise the unpublish appears to be successful

[SimonAlling]

I have the same problem, being unable to deprecate a package of mine. I assumed it had something to do with the package being scoped, since I noticed that the slash in the package name is shown as %2f in the URL, but I really don't understand what's going on.

$ node -v
v14.15.0
$ npm -v
6.14.8
$ npm deprecate @alling/foo-bar "This package should not be used."
npm ERR! code E404
npm ERR! 404 Not Found - PUT https://registry.npmjs.org/@alling%2ffoo-bar - Not found
npm ERR! 404 
npm ERR! 404  '@alling/foo-bar@latest' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

[ljharb]

@SimonAlling what happens with npm v7.0.11?

[SimonAlling]

@SimonAlling what happens with npm v7.0.11?

$ docker run -it node bash
# npm -v
7.0.8
# npm login
Logged in as alling on https://registry.npmjs.org/.
npm notice 
npm notice New patch version of npm available! 7.0.8 -> 7.0.11
npm notice Changelog: https://github.com/npm/cli/releases/tag/v7.0.11
npm notice Run npm install -g npm@7.0.11 to update!
npm notice 
# npm deprecate nonexisting-package-asdfasdf LOL
npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/nonexisting-package-asdfasdf?write=true
npm ERR! 404 
npm ERR! 404  'nonexisting-package-asdfasdf@latest' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
# npm deprecate @alling/foo-bar "This package should not be used."

No error or other output, but no deprecation message showed up on the package page (i.e. https://www.npmjs.com/package/@alling/foo-bar), even after like half an hour, so I tried running the command again:

# npm deprecate @alling/foo-bar "This package should not be used."
npm ERR! code E422
npm ERR! 422 Unprocessable Entity - PUT https://registry.npmjs.org/@alling%2ffoo-bar - Unprocessable Entity

However, if I go to a specific version of the package (e.g. https://www.npmjs.com/package/@alling/foo-bar/v/1.1.6), I see the expected deprecation message*. But I want it to show up on the main package page as well (like e.g. urix).

* Latest version: This package has been deprecated. Any other version: This version has been deprecated.

EDIT: The deprecation message finally showed up on the main package page.

[ljharb]

That’s using npm v7.0.8; can you npm install -g npm@7 before running the deprecate command?

[SimonAlling]

The deprecation message finally appeared on the main package page, so I believe it works with npm v7.0.8. 🙂

[krushndayshmookh]

Logging in or logging in after log out solves the issue. Seems like an authentication problem.

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is reproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.