Report if a package is malicious or its version has been yanked

### PyPI

- PyPI removes all traces of the `malicious` package. 
- If a package version is deleted, it is properly marked as `yanked`. See the example https://pypi.org/pypi/apache-superset/json where version `2.1.1rc1` is marked as yanked.
- Discussion on an index for packages that have been entirely removed from PyPI: https://discuss.python.org/t/an-index-for-deleted-pypi-packages-versions/50515

### NPM

- Npm removes all versions of a `malicious` package from the index and provides a placeholder package version `0.0.1-security`. See the example https://registry.npmjs.org/gxm-reference-web-auth-server.
- Npm also allows unpublishing (yanking) a package version within 72 hours see https://docs.npmjs.com/unpublishing-packages-from-the-registry.



Related: https://github.com/aboutcode-org/vulnerablecode/pull/1533#discussion_r1716728423, https://github.com/aboutcode-org/vulnerablecode/pull/1533#discussion_r1724863110


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Report if a package is malicious or its version has been yanked #123

PyPI

NPM

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Report if a package is malicious or its version has been yanked #123

Description

PyPI

NPM

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions