TL;DR - Package squatting is not allowed. If you sit on a package
name and don't publish code, it'll be deleted without warning.
----
npm package names have always been a "first come, first served"
system. I think this is generally good. It incentivizes early
adopters, which is important, because they're the most valuable users.
It also is a powerful motivator to *actually write code*.
Traditionally, the pattern has been that if you think of a great name,
well, you'd better ship something, then! We never had to have an
explicit rule about publishing empty packages, for the same reason
that you don't have to have an explicit rule about leaving garbage on
the floor in someone's house. It's just not something you'd do.
It is hard to really comprehend *just how many* possible package names
there are. The math isn't that hard, but the actual numbers are
mind-boggling. Even just limiting to 4 characters, there's
36*38*38*38 potential names. That's about 100x the number of npm
packages that have ever been published. And yes, it includes stuff
like 0-_-, but still. You don't have to limit it to 4 characters. At
8 characters, there's 4118960973312 potential names. If you got TJ
Holowaychunk and Raynos and Substack and architectd and Dominic Tarr
together and managed to get them to publish a package with a unique
8-character name every MILLISECOND, it'd take OVER 130 YEARS to ever
use them all up! Absurdity aside, there are millions and millions of
common words and clever spellings. We'll never run out. There is no
scarcity.
(To the alpha-nerds in the audience: this is not a challenge. Please
don't DOS the registry. ;)
The official policy for handing name disputes mostly focuses on
abandoned modules, confusing name collisions, and other cases where
two parties both actually have published (or want to publish) working
code. There's never been a need to make the "no seat saving"
explicit, because it just didn't happen much. Disputes between two
authors have generally always been handled pretty easily. The
occasional "no code here" module was always a mistake or an oversight,
and promptly cleaned up.
Lately, probably owing to the increase in our community's size, or the
increase in npm's popularity, or some combination of factors, I've
been seeing a lot more cases where someone asks to use a module,
pointing out that the author isn't using it, and they're told, "No,
that's something I'll be publishing at some time in the future." When
I've stepped in and made a ruling, pointing out that **npm is for node
modules that exist, not for node modules that don't exist**, the
squatters have in some cases reacted with surprise and frustration.
It's gotten un-amicable.
If you think I'm talking about you, you're probably right. But I
wouldn't bother to write this if it had been an isolated incident, so
you're not alone. I don't want to single anyone out, and it's
happened enough times that clearly there's some widespread confusion
about what's ok and what isn't. You're not a bad person. You didn't
know.
To be fair, yes, this was never a part of any "official" policy in an
explicit way. So, as of
https://github.com/isaacs/npm/commit/993abe412db791f9460932371b39642817523aab
(and this email) it's explicit. (The great thing about npm being a
dictatorship is that it doesn't ultimately matter what any policy
says. My interest is for the node community to write code, so
anything that stands in the way of that gets cut down, policy be
damned.)
It is very easy to rename a module. It's a matter of changing *a
single field* in a JSON doc. If it takes a few months to build
something, and someone publishes something in with the same name in
the meantime, that means a few things are likely:
1. You took took long. Go faster. Which probably means:
1a. You tried to write something that was too big. Build smaller.
2. The name you chose is too vague and doesn't tell much about your
problem domain. Which probably means:
2a. Your problem domain is ill defined. (Is it an MVC framework?
CMS platform? Stop right there.)
If that happens, just pick a new name! There are literally zillions
to choose from. It doesn't matter how long you've slaved over the
code to make your module, with the hope of using that name. They got
it over the finish line first. That's how "first come first served"
works.
This is the warning. If you're reading this, and you have something
that you're "intending" to publish "soon", hurry up! If your module
is just a placeholder, it'll be removed the first time someone calls
attention to it.
It pains me to have to do administration of any sort. Really. You
have no idea how lazy I am when it comes to petty things like this,
and I don't enjoy being a hardass. But npm is not for owning words.
It's for sharing code. Hack or get out of the way.