In 2019 we started building a library for building node based UIs, and decided to call it “React Flow.” It’s a nice name, so of course “reactflow” and “react-flow” were already taken. The best option we had for us was “react-flow-renderer,” so we took what we could get.
Three years and many Github stars later, we wanted a sleeker name. Both “reactflow” and “react-flow” hadn’t been used or changed for over 6 years, so I found the email address associated with “reactflow” using npm view reactflow _npmUser
, sent a nice email asking if we could use it, and crossed fingers.
Within just 2 hours, the owner replied, and said he had already handed over the rights to us (?!?!). Faster and easier than expected thanks to a quick-responding stranger, we were in business
. We were about to publish a new major version, and were excited that a fresh new “reactflow” package would come with the release.
Mistakes were made
The previous owner published just one version of their package 10 years ago. I wanted to start with a fresh package called “v11.0.0-beta,” but I’d have to unpublish that old version first.
It was the only version, so I would have to use the “force” argument. But that shouldn’t be a problem, because I can publish a new version, right?
npm unpublish@0.1.0 —force
Then it was time to make our new name, and look forward to a bright, sunny future.
npm publish
Then, a dreaded error message…
“Package name too similar to existing package react-flow”
But we just had the name?! Those two names have existed together for the past 6 years?? What happened?
With a frantic google search, it turns out npm introduced a typosquat security feature a few years ago, way after either of these package names were created, which was now blocking me from using the “reactflow” package at all. I felt terrible, and couldn’t believe that I lost a package that I just received from a kind stranger!

Getting reactflow back
Two minutes of wallowing and frantic google searching later, I realised that I really messed up and wrote npm a message explaining my situation. They answered that there is nothing they can do about it and that we should use a scoped package name instead or follow the package name dispute policy https://www.npmjs.com/policies/disputes. This was bad.
We wrote some mails back and forth, and finally at the end of the day, they rolled back the mistake I made and restored the previous version 0.1.0 What a relief!
Thanks to npm support, everyone who wants to use React Flow can use npm install reactflow
instead of npm install react-flow-renderer
, which was released along with our v11 update. Feels good.
How to not make the same mistake
- Never unpublish the last version of a package if you might want to use the name again.
- Never do anything on npm that you are not 100% sure about.
- npm support is great ❤️