Appearance
Revocation
Revocation is unpublishing a version. The semantics are sharply different between Gitea (current) and npmjs.com (target state).
Gitea (today)
Gitea allows full deletion of any version through its admin UI or API:
bash
# Via Gitea admin API
curl -X DELETE \
-H "Authorization: token <gitea-admin-token>" \
"https://registry.hivecast.ai/api/v1/packages/hivecast-admin/npm/@open-matrix%2Fchat/0.2.3"After deletion:
- The tarball is gone.
npm install @open-matrix/chat@0.2.3fails with 404.- Other versions remain unaffected.
- Consumers with the deleted version in their lockfile fail to install cleanly until they update.
Gitea-side deletion is the reason pre-launch development uses Gitea instead of public npm. Mistakes are recoverable.
After deletion, manually update discovery-index.json to remove the version's entry so the catalog reflects reality. There is no automated hook today.
npmjs.com (target state, dangerous)
The npm registry has different rules:
- npm permits unpublish of versions less than 72 hours old, with very limited exceptions.
- After 72 hours, npm requires manual intervention from npm support to remove a version, and they will only do so for malicious or harmful content.
- "Deprecation" is the supported alternative — the version remains installable but a warning prints.
The npm publish safety audit documents this in detail. Do not publish to npmjs.com without thorough review.
Deprecation (supported on both backends)
npm deprecate adds a warning to a version without removing it:
bash
npm deprecate @open-matrix/chat@0.2.3 "Buggy. Use 0.2.4."The version is still installable. npm install prints the deprecation warning. Lockfiles continue to work. This is the preferred way to discourage use of a flawed version when actual removal is unsafe.
What revocation does NOT undo
Revoking a version does not:
- Remove the version from existing consumer lockfiles.
- Recall already-installed copies on consumer machines.
- Remove transitive dependents that bundled the version.
- Affect the
discovery-index.json(a separate update step is needed). - Affect the
node_modules/of any running Host. Hosts continue to run whatever bytes are on disk.
If a security issue requires consumers to update, communicate independently. Revocation alone is necessary but never sufficient.
Security-driven revocation
For a known-malicious version:
- Immediately revoke from Gitea (or deprecate on npmjs.com).
- Publish a fixed version above the bad one.
- Communicate through whatever channels reach affected consumers.
- Update
discovery-index.jsonto drop the bad version's entry. - Audit logs on Gitea to confirm origin of the bad publish.
Steps 1-2 are technical; steps 3-5 are operator process. There is no auto-disclosure pipeline today.
See also
Source: Gitea admin UI / API. npm rules per https://docs.npmjs.com/policies/unpublish.