16 November 2022
How we lost our slick new npm package name (and then got it back)
In 2019 we started building a library for building node based UIs (opens in a new tab), and decided to call it “React Flow.” It’s a nice name, so of course “reactflow” and “react-flow” were already taken. The best option we had for us was “react-flow-renderer,” so we took what we could get.
Three years and many Github stars later, we wanted a sleeker name. Both “reactflow” and “react-flow” hadn’t been used or changed for over 6 years, so I found the email address associated with “reactflow” using
npm view reactflow _npmUser, sent a nice email asking if we could use it, and crossed fingers.
Within just 2 hours, the owner replied, and said he had already handed over the rights to us (?!?!). Faster and easier than expected thanks to a quick-responding stranger, we were in business. We were about to publish a new major version, and were excited that a fresh new “reactflow” package would come with the release.
The previous owner published just one version of their package 10 years ago. I wanted to start with a fresh package called “v11.0.0-beta,” but I’d have to unpublish that old version first.
It was the only version, so I would have to use the “force” argument. But that shouldn’t be a problem, because I can publish a new version, right?
npm firstname.lastname@example.org —force
Then it was time to make our new name, and look forward to a bright, sunny future.
Then, a dreaded error message…
“Package name too similar to existing package react-flow”
But we just had the name?! Those two names have existed together for the past 6 years?? What happened?
With a frantic google search, it turns out npm introduced a typosquat security feature (opens in a new tab) a few years ago, way after either of these package names were created, which was now blocking me from using the “reactflow” package at all. I felt terrible, and couldn’t believe that I lost a package that I just received from a kind stranger!
Two minutes of wallowing and frantic google searching later, I realised that I really messed up and wrote npm a message explaining my situation. They answered that there is nothing they can do about it and that we should use a scoped package name instead or follow the package name dispute policy https://www.npmjs.com/policies/disputes (opens in a new tab). This was bad.
We wrote some mails back and forth, and finally at the end of the day, they rolled back the mistake I made and restored the previous version 0.1.0 What a relief!
Thanks to npm support, everyone who wants to use React Flow can use
npm install reactflow instead of
npm install react-flow-renderer, which was released along with our v11 update (opens in a new tab). Feels good.
- Never unpublish the last version of a package if you might want to use the name again.
- Never do anything on npm that you are not 100% sure about.
- npm support is great ❤️
1 November 2022
What’s new at React Flow - Fall 2022 🍂
A dispatch straight from our desks about what’s happened in the last couple of months at React Flow: updates, news, and a peek behind-the-scenes.Read more
19 December 2022
v11.4.0, design-tool components, an awesome list, and new examples
Hey! We wanted to share an update about what we’ve been up to before we wrap ourselves up in blankets to hibernate until the new year (we’ll be shutting our laptops from today until January 2nd ⛄). Let’s get into what’s been up the past few months, what’s coming, and what we’re excited about right now.Read more