Skip to content

Revocation

Revocation is unpublishing a version. The semantics are sharply different between Gitea (current) and npmjs.com (target state).

Gitea (today)

Gitea allows full deletion of any version through its admin UI or API:

bash
# Via Gitea admin API
curl -X DELETE \
  -H "Authorization: token <gitea-admin-token>" \
  "https://registry.hivecast.ai/api/v1/packages/hivecast-admin/npm/@open-matrix%2Fchat/0.2.3"

After deletion:

  • The tarball is gone.
  • npm install @open-matrix/chat@0.2.3 fails with 404.
  • Other versions remain unaffected.
  • Consumers with the deleted version in their lockfile fail to install cleanly until they update.

Gitea-side deletion is the reason pre-launch development uses Gitea instead of public npm. Mistakes are recoverable.

After deletion, manually update discovery-index.json to remove the version's entry so the catalog reflects reality. There is no automated hook today.

npmjs.com (target state, dangerous)

The npm registry has different rules:

  • npm permits unpublish of versions less than 72 hours old, with very limited exceptions.
  • After 72 hours, npm requires manual intervention from npm support to remove a version, and they will only do so for malicious or harmful content.
  • "Deprecation" is the supported alternative — the version remains installable but a warning prints.

The npm publish safety audit documents this in detail. Do not publish to npmjs.com without thorough review.

Deprecation (supported on both backends)

npm deprecate adds a warning to a version without removing it:

bash
npm deprecate @open-matrix/chat@0.2.3 "Buggy. Use 0.2.4."

The version is still installable. npm install prints the deprecation warning. Lockfiles continue to work. This is the preferred way to discourage use of a flawed version when actual removal is unsafe.

What revocation does NOT undo

Revoking a version does not:

  • Remove the version from existing consumer lockfiles.
  • Recall already-installed copies on consumer machines.
  • Remove transitive dependents that bundled the version.
  • Affect the discovery-index.json (a separate update step is needed).
  • Affect the node_modules/ of any running Host. Hosts continue to run whatever bytes are on disk.

If a security issue requires consumers to update, communicate independently. Revocation alone is necessary but never sufficient.

Security-driven revocation

For a known-malicious version:

  1. Immediately revoke from Gitea (or deprecate on npmjs.com).
  2. Publish a fixed version above the bad one.
  3. Communicate through whatever channels reach affected consumers.
  4. Update discovery-index.json to drop the bad version's entry.
  5. Audit logs on Gitea to confirm origin of the bad publish.

Steps 1-2 are technical; steps 3-5 are operator process. There is no auto-disclosure pipeline today.

See also

Source: Gitea admin UI / API. npm rules per https://docs.npmjs.com/policies/unpublish.