NPM changes downloads-stats API and informs the world 38 hours later

There are two parts to this post. The first is about what happened, chronologically and the second part is about why I was so disappointed with this.

Note: All the times in this post which are not annotated are India Standard Time = GMT + 5.5

What happened?

Why do I even care?

It’s just a downloads API, CHILL MAN.

No one actually said that to me, but you might be wondering why this was such a big deal for me.

Mainly because I have download numbers on my CV and when someone clicks on the link and sees a number less than the number they just saw and no apparent explanation, it’s a bad look. There’s almost no explanation that can be given in less than a few minutes time. (Hence, the request to Paul Vorbach to put a note on his website)

Also because this was unprecedented! This sort of an API change (i.e. a change without any prior warning) leads to every tool that depends on the API malfunctioning! Their official stand is that they will keep doing it in the future as well, and they will only follow-up with documentation:

We reserve the right to further limit API usage without warning when we see a pattern of requests causing the API to be unusable for most callers. We’ll follow up with documentation in these cases. Our primary goal is to prevent API use from either deliberately or accidentally making the service unresponsive for other users.


I like NPM. Irrespective of that, if you want to work with Node.js then you are absolutely going to HAVE to use it. There are many things that could have been done better here: more warning before such API changes, a tweet an hour before the API change was deployed would have been notice enough. Or how about adding a field to the /downloads api response that informed the user that the data is not for the complete range that they requested because of a new API change.

They have a monthly newsletter, a Twitter account, a blog and they chose not to post about this anywhere. I can only guess that they were undergoing an attack and they had to limit the API to fight that. I can’t believe anyone would have a planned move to limit data and not inform their users about it prior to the change itself.

Explaining a change 38 hours after deploying the change is just not acceptable for an API that’s so prevalent.


NPM limited their /downloads API to return data only for the last 18 months if you request for a range more than 18 months. They informed the world about it 38 hours after I first noticed the change. This lead to malfunctioning and showing drastically low numbers because of years of data was simply not there.