npm logout leaves private packages in cache

[seangarner]

When using npm logout it leaves behind all the cached responses for the registry and tarballs. This can lead to confusion if then installing a private module after having logged out:

• UX side; mild panic because unauthenticated users can install my private packages.
• There's the possibility that a user might forget that they've logged out and continue installing packages which use the cache (therefore could actually be out of date, since it's using the cached registry call).
• Finally a mild security issue because npm is leaving behind private data once logged out.

Ideally I'd expect the cache to be cleared of any private data as you log out. But a warning that private data may exist and the user may want to run npm cache clear on logout would also be an acceptable solution to me.

[Niffy]

I concur I had a heart attack when I was able to still do this after logging out!
Thankfully you provided the solution of npm cache clear.

[npm-robot]

We're closing this issue as it has gone seven days without activity and without being labeled. If we haven't even labeled in issue in seven days then we're unlikely to ever read it.

If you are still experiencing the issue that led to you opening this or this is a feature request you're still interested in then we encourage you to open a new issue. If this was a support issue, you may be better served by joining package.communty and asking your question there.

For more information about our new issue aging policies and why we've instituted them please see our blog post.