Package name too similar to existing packages
catamphetamine opened this issue ยท 18 comments
How does NPM judge whether it's "too similar" or not "too similar"?
npm ERR! publish Failed PUT 403
npm ERR! code E403
npm ERR! Package name too similar to existing packages; try renaming your package to '@catamphetamine/react-application' and publishing with 'npm publish --access=public' instead : react-application
Perhaps there's already react-application package?
Seems that there is none.
ฮป npm install react-application
npm ERR! code E404
npm ERR! 404 Not Found: react-application@latest
Got a reply:
Hello,Thanks for reaching out. The 403 error you received is a new typosquat functionality that will prevent security vulnerabilities.The react-application package name is similar to the reactapplication package name, so npm has blocked the publish and has also recommended publishing it as a scope package.For more information on typosquat please refer to:https://gist.github.com/ashleygwilliams/e466c1e9fd3be42545da511239edd554
This is not ideal.
Instead of this, npm install should prompt something like:
You tried to install the package `react-application` but we also found a package called `reactapplication`. Did you mean to install `react-application`? (yes/no) _
That'd be MUCH better.
I just encountered this.
It is definitely not ideal.
A good name is hard to come by.
This is bad. I developed the most popular pkg for a thing and someone registered that name before me, no when I add - in the two words it says โ my pkg is too similar.
Just encountered the same thing.
I get how this may help fight malicious package names (cross-env/crossenv story), but it's not a good solution. Hell, the package that mine is "too similar" to hasn't been updated in 2 years.
I published my first package without -'s in the name and now want to rename it to conform to proper naming conventions, without upsetting people who are currently using it. I've tried to deprecate my existing package and publish a new one with - in the name, but because of this similarity rule I cannot. Do I have to simply unpublish the existing package and hope that existing users find the new one?
Since you own the other one, probably email support and see what they say.
The package with the old name and the package with the new one are both in my own friggin' account. How can there be a security issue?
Should be possible to rename a package
What a pain...
This is especially sad given that if you go to https://www.npmjs.com/package/react-application you get:
Just ran into the same thing, saw the page @johnnyodonnell screenshotted when I was considering a package name, developed around that name, and then got this error when trying to publish. Seems like an unnecessary hassle given the crowded package name space, and at a minimum the website should be fixed not to advertise npm publish for package names that can't be used.
Make sure to let https://github.com/npm/www know about that ๐
No benefit at all.. just problems.. have to invent a weird name for a package to make it work
Bad. SAD.
instead of doing this, you may be able to bring out useful packages to the foreground. it seems like a rather useless solution.
This is annoying.
Same issue here. Not able to publish "fix.js", because it is too similar to another package, presumably "fix" except, that is also my package!