It is rare, but technically unpublishing npm packages is possible at a remote npm registry.
When Nexus is proxying a remote npm repository, a specific package version may get locally cached. Then the remote may unpublish that same package, thus altering the package metadata which lists the versions of the package at the remote site.
The next time Nexus gets the remote metadata for that package, the metadata is replaced, not merged, with its own local metadata. See https://issues.sonatype.org/browse/NEXUS-8624.
If metadata age is set as -1, then Nexus will never get new metadata, so will not know about new versions that get published.
If it is set to anything greater, then the new metadata from the remote may get downloaded and will not refer to the already locally cached package, it will replace the local metadata and Nexus will not serve the already cached unpublished package to inbound requests.
There is a use case for continuing to serve the already cached package, if we have a project depending on that package, we don't want our project to be affected if this module is unpublished at the remote.
Nexus should also provide an option to continue serving the cached packages, while at the same time have a method to reconcile packages/metadata which are explicitly deleted from the local cache or remote site.