impossible to delete a specific npm package metadata root in some scenarios

A customer encountered a situation where they could not find a conventional way to delete the Nexus Repository served package metadata for a specific npm package that was proxied from the official registry.

Their repo structure was:

├ ⧈ npm (npm-group)
│   ├ ▶ aws-proxy (npm-proxy) ≻ https://remote.nexus.example.com/repository/npm-hosted
│   ├ ▶ npminternal-proxy (npm-proxy) ≻ http://other.nexus.example.com/repository/npminternal/
│   ├ ▶ npmexternal-proxy (npm-proxy) ≻ http://other.nexus.example.com/repository/npmexternal/
│   ├ ▶ aws-other-proxy (npm-proxy) ≻ http://other.nexus.example.com/repository/npm-other
│   └ ▶ npm-proxy (npm-proxy) ≻ https://registry.npmjs.org/

Customer performed these actions attempting to expose to them the npm package asset to delete:

• rebuild search indexes
• rebuild browse tree
• invalidate cache on npm group and npm-proxy proxy repo and try to refetch the new metadata at the remote ( npm-proxy repo Metadata Max Age was already 5 minutes and that did not help )
• deleting all individual npm package tgz files that search component REST API reported to exist for the same package
• rebuilding npm repository metadata using groovy script described at this link

None of those options worked to expose the package root metadata so that it could be deleted via REST or Browse views.

Component search only returned 4 tgz npm component records for the specific package, not the package metadata ( each tgz is a component internally in npm ). Browse node for the package at #browse/browse:npm-proxy:examplepackage displayed an error message: "Unable to show requested tree entry" when clicked" so it could not be deleted that way either.

Removing the npm-proxy repo from the group and adding in a new proxy repo has been known as a workaround ( based on previous workarounds needed in other situations ) but the other ramifications and risks for that were not desired. Customer eventually replaced existing group and proxy repos as a solution though because resolving this situation was an emergency.

Workaround

Sonatype has developed a groovy script ( only tested for 3.35.0 and npm assets ) that can delete a specific npm package metadata asset from a repository.

Expected

Provide a supported conventional method to delete an npm package root metadata using Browse and Search/REST. One should never arrive at a situation where package specific metadata cannot be explicitly deleted from a repo ( and refreshed in any group repo containing that repo ).