Skip to main content

How we lost our slick new npm package name (and then got it back)

· 3 min read
Moritz Klack

In 2019 we started building a library for building node based UIs, and decided to call it “React Flow.” It’s a nice name, so of course “reactflow” and “react-flow” were already taken. The best option we had for us was “react-flow-renderer,” so we took what we could get.

Three years and many Github stars later, we wanted a sleeker name. Both “reactflow” and “react-flow” hadn’t been used or changed for over 6 years, so I found the email address associated with “reactflow” using npm view reactflow _npmUser, sent a nice email asking if we could use it, and crossed fingers.

Within just 2 hours, the owner replied, and said he had already handed over the rights to us (?!?!). Faster and easier than expected thanks to a quick-responding stranger, we were in business

. We were about to publish a new major version, and were excited that a fresh new “reactflow” package would come with the release.

email from reactflow package handover

Mistakes were made

The previous owner published just one version of their package 10 years ago. I wanted to start with a fresh package called “v11.0.0-beta,” but I’d have to unpublish that old version first.

It was the only version, so I would have to use the “force” argument. But that shouldn’t be a problem, because I can publish a new version, right?

npm unpublish@0.1.0 —force

Then it was time to make our new name, and look forward to a bright, sunny future.

npm publish

Then, a dreaded error message…

“Package name too similar to existing package react-flow”

But we just had the name?! Those two names have existed together for the past 6 years?? What happened?

With a frantic google search, it turns out npm introduced a typosquat security feature a few years ago, way after either of these package names were created, which was now blocking me from using the “reactflow” package at all. I felt terrible, and couldn’t believe that I lost a package that I just received from a kind stranger!


Getting reactflow back

Two minutes of wallowing and frantic google searching later, I realised that I really messed up and wrote npm a message explaining my situation. They answered that there is nothing they can do about it and that we should use a scoped package name instead or follow the package name dispute policy This was bad.

We wrote some mails back and forth, and finally at the end of the day, they rolled back the mistake I made and restored the previous version 0.1.0 What a relief!

Thanks to npm support, everyone who wants to use React Flow can use npm install reactflow instead of npm install react-flow-renderer, which was released along with our v11 update. Feels good.

How to not make the same mistake

  1. Never unpublish the last version of a package if you might want to use the name again.
  2. Never do anything on npm that you are not 100% sure about.
  3. npm support is great ❤️