story
1. As a developer I can not know with certainty that a package I publish will remain published under its current name.
2. As a consumer of packages I can not trust that a library I am using won't get changed to a different piece of code due to someone else thinking they deserve the name better.
What you say is also a problem. The fact that they claimed to have solved the unpublishing problem when they apparently hadn't is pretty huge, as is the fact that the flaw exists to begin with. Unfortunately NPM is just not a trustworthy company.
You don't have a right to a name on every service on the planet just because you trademark it somehow.
You can as long as your package name isn't trademarked or likely to confuse users installing the package.
> 2. As a consumer of packages I can not trust that a library I am using won't get changed to a different piece of code due to someone else thinking they deserve the name better.
I'm actually fairly sure npm won't blindly hand over a package that is depended upon, to another entity. When they handed over 'kik' it wasn't in the same league as 'left-pad' which was widely depended upon.
> What you say is also a problem. The fact that they claimed to have solved the unpublishing problem when they apparently hadn't is pretty huge
I agree it sucks, but the fact is they 'prevented unpublishing' to bug-fix one vector for this problem, but then introduced a bug in process that appears very similar to unpublishing. If you've never had this sort of thing happen to you as a software dev, (had some stakeholder question 'but I thought you'd fixed X') you're very very lucky.
> as is the fact that the flaw exists to begin with.
Easy to criticise in hindsight. At the time of left-pad, several other package registries (e.g. PyPI) also allowed unpublishing.
> You can as long as your package name isn't trademarked or likely to confuse users installing the package.
Trademarked where exactly? You know, there's quite a lot of world beside US.
> I'm actually fairly sure npm won't blindly hand over a package that is depended upon, to another entity.
What makes you trust them in this matter? They haven't displayed such behaviour, and their behaviour up until now slightly suggests the opposite.
>> You can as long as your package name isn't trademarked or likely to confuse users installing the package.
> Trademarked where exactly? You know, there's quite a lot of world beside US.
And, if I recall correctly, trademarked when? Wasn't leftpad.js's author using the name kik well before the company Kik existed? So you don't just need a name that's not trademarked _now_, you need to pick one that no-one else trademarks sometime in the future (in whatever jurisdictions the npm people care about)...
Please elaborate. Afaik 'kik' wasn't significantly depended upon, and people using the old kik could still install it [1] (had the leftpad author not unpublished it), and that is the only example I'm aware of of npm handing over a package name.
[1] http://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm
