Musher
Install

Unpublish & Immutability Policy

Last updated: March 2026

1. Immutability Principle

To ensure the stability of the software supply chain, public bundle versions published to the Musher registry are generally immutable once successfully published. This means that consumers of your bundles can depend on a specific version always resolving to the same content.

2. 72-Hour Unpublish Window

You may unilaterally unpublish a public bundle version within 72 hours of publication, provided that:

  • No other public bundles depend on the version being removed
  • The version has not been widely adopted (fewer than a threshold of downloads)

After the 72-hour window, removal requires a formal request to [email protected] and may be subject to ecosystem impact review.

3. Yank vs. Unpublish vs. Hard Delete

  • Yank: The version is marked as deprecated. Existing consumers can still resolve it, but new consumers receive a warning. Metadata (version number, publisher, yank reason) is preserved. This is the default action for most takedown scenarios.
  • Unpublish: The version is removed from the registry index. Existing lock files referencing the version will fail to resolve. Available only within the 72-hour window or by support request.
  • Hard Delete: The version and all associated content are permanently removed. Reserved for extreme cases involving security incidents, leaked credentials, or court orders.

4. Platform-Initiated Takedowns

Musher reserves the right to immediately yank, unpublish, or hard-delete any bundle version that:

  • Contains active malware, trojans, or other malicious code
  • Exposes private cryptographic credentials, API keys, or secrets
  • Infringes intellectual property rights (subject to our DMCA Policy)
  • Violates our Acceptable Use Policy
  • Is subject to a valid court order or legal process

5. Tombstoning

When a version is removed by Musher, a tombstone record is preserved in the registry. The tombstone includes the version number, the date of removal, and a general reason category (e.g., "security," "DMCA," "AUP violation"). This allows downstream consumers to understand why a dependency is no longer available, rather than encountering a silent 404.

6. Downstream Impact Notification

When a platform-initiated takedown affects a version with significant downstream usage, Musher will make reasonable efforts to notify affected consumers through the registry's version resolution warnings. Publishers of dependent bundles may receive email notification when a dependency is removed.

7. Private Bundles

Private bundles are not subject to the immutability constraints described above. Private bundle owners may delete their versions at any time. However, deletion is permanent and cannot be undone.

8. Contact

For questions about this policy or to request a takedown, contact us at: [email protected]