ability to delete of published version under certain circumstances

[crowlKats]

We need a way to delete a package version, however we should keep this to be under very specific circumstances. one idea would be:

• less than X downloads
• published less than X ago
• No dependents

this should be sufficient to enable this capability for the usecase people have, while still being true to the rule of being immutable.

[Inbestigator]

Maybe if not latest version? (Unless only version)

[BlackAsLight]

To add to this, I think it would be beneficial to exclude these versions when downloading an existing lib and looking for libs to deduplicate but still included if adding a new dependency to a project.

[Inbestigator]

Maybe yanking could actually be more effective (like yanking all versions will allow you to delete the project etc.)

[crowlKats]

no, yanking allows versions to still be available, and deleting could break a lot. ie lets say std/collections yanked all versions and then deleted the module, that would completely destroy everything

[yuhr]

Versions that satisfy the circumstances must be shown with a noticeable BIG RED WARNING label about the endangerment in the Web UI. Otherwise random users might experience broken builds unexpectedly (like me experienced the same in npmjs.com).

[crowlKats]

@yuhr thats why the idea is that there can be no dependents and very little downloads (ie 10 downloads)

[yuhr]

I mean, we can't measure number of dependents at all, because not all actual dependents are published on JSR. Internal use only softwares might depend on such a low-reputation version.

On the other hand, number of downloads would be trustable. Thresholding at ~10 downloads sounds completely viable to me.

[NetOpWibby]

I would like to delete a scope but I'm prevented from doing so because I have a module with releases. Those releases have been yanked, no one has installed them, but I cannot delete them...I feel that I should be able to delete the package and scope.