The article tries to make it sound more serious than it actually is. So you can't unpublish packages on NPM now. So what? Why are you unpublishing it in the first place? Just leave it alone and slap a deprecation notice on it.
Because I'm human and sometimes I make idiotic mistakes and I don't want that embarrassing stuff out there where everyone can see. Same reason I sometimes force push to my repositories: I realized I made a mistake immediately after publishing and would like to correct it as quickly as possible.
Some time ago I ran head first into an npm bug when I tried to symlink the README file which resulted in the package getting published without a README file because apparently someone somewhere is "opinionated" about symlinks.
That was embarrassing and annoying. So I unpublished it. Then I discovered I couldn't replace the bad package, I had to create a new version of the package. So I did and then I discovered they had slapped me with a stupid 24 hour count down on top of all that during which I could not actually push the corrected version. I hate this thing so much, you have no idea.
OTOH if you’ve published sensitive info the cat is out of the bag. Deleting the version is not the correct response, rotating creds is the only viable answer.
I’m sure there are bots watching new versions posted to NPM, scanning them for things like AWS access keys or crypto wallet creds. I’d bet that if you publish a package with AWS creds you will have crypto miners launched on your account within the hour if not within 5 minutes (probably all automated).
