I'm trying to better understand the "risks" of building with 3rd party packages and npm more broadly
If I npm install some 3rd party package like semantic-ui-react, is there any chance that in the future I won't be able to use the package on my site? Or will I always be able to use the package for that specific version that was installed? I'm assuming I do not perform any upgrades etc. I presume these packages are "decentralized" and "censorship" resistant?
Thanks in advance
CodePudding user response:
Registry data is immutable, meaning once published, a package cannot change. We do this for reasons of security and stability of the users who depend on those packages. So if you've ever published a package called "bob" at version 1.1.0, no other package can ever be published with that name at that version. This is true even if that package is unpublished.
I recommend reading the npm unpublish policy docs: