16 November 2022

How we lost our slick new npm package name (and then got it back)

Moritz Klack
Co-Founder

In 2019 we started building a library for building node based UIs (opens in a new tab), and decided to call it “React Flow.” It’s a nice name, so of course “reactflow” and “react-flow” were already taken. The best option we had for us was “react-flow-renderer,” so we took what we could get.

Three years and many Github stars later, we wanted a sleeker name. Both “reactflow” and “react-flow” hadn’t been used or changed for over 6 years, so I found the email address associated with “reactflow” using npm view reactflow _npmUser, sent a nice email asking if we could use it, and crossed fingers.

Within just 2 hours, the owner replied, and said he had already handed over the rights to us (?!?!). Faster and easier than expected thanks to a quick-responding stranger, we were in business . We were about to publish a new major version, and were excited that a fresh new “reactflow” package would come with the release.

email from reactflow package handover

Mistakes were made

The previous owner published just one version of their package 10 years ago. I wanted to start with a fresh package called “v11.0.0-beta,” but I’d have to unpublish that old version first.

It was the only version, so I would have to use the “force” argument. But that shouldn’t be a problem, because I can publish a new version, right?

npm unpublish@0.1.0 —force

Then it was time to make our new name, and look forward to a bright, sunny future.

npm publish

Then, a dreaded error message…

“Package name too similar to existing package react-flow”

But we just had the name?! Those two names have existed together for the past 6 years?? What happened?

With a frantic google search, it turns out npm introduced a typosquat security feature (opens in a new tab) a few years ago, way after either of these package names were created, which was now blocking me from using the “reactflow” package at all. I felt terrible, and couldn’t believe that I lost a package that I just received from a kind stranger!

Noooo!

Getting reactflow back

Two minutes of wallowing and frantic google searching later, I realised that I really messed up and wrote npm a message explaining my situation. They answered that there is nothing they can do about it and that we should use a scoped package name instead or follow the package name dispute policy https://www.npmjs.com/policies/disputes (opens in a new tab). This was bad.

We wrote some mails back and forth, and finally at the end of the day, they rolled back the mistake I made and restored the previous version 0.1.0 What a relief!

Thanks to npm support, everyone who wants to use React Flow can use npm install reactflow instead of npm install react-flow-renderer, which was released along with our v11 update (opens in a new tab). Feels good.

How to not make the same mistake

  1. Never unpublish the last version of a package if you might want to use the name again.
  2. Never do anything on npm that you are not 100% sure about.
  3. npm support is great ❤️

Get Pro examples, prioritized bug reports, 1:1 support from the maintainers, and more with React Flow Pro