Package Administration

Package administration covers the operations available to package uploaders, publisher admins, and server admins after a package is published.

Who Can Do What

Every package is owned in exactly one of two ways, decided by whether a publisher is set:

• Uploader list — one or more users with rights on this package. Used when no publisher is set.
• Publisher — a single organization. Used when a publisher is set.

The two are mutually exclusive: once a publisher is set the package is publisher-owned, and the uploader list is no longer consulted for permission checks. Clearing the publisher returns the package to uploader ownership (the server ensures at least one uploader remains).

For a publisher-owned package: any publisher member can publish new versions, but the administrative actions in the table below require publisher admin rights. For an uploader-owned package, every named uploader can do all of these actions.

Action	Uploader (uploader-owned) / publisher admin (publisher-owned)	Server admin only
Add / remove uploaders	yes	yes
Set or clear publisher	yes	yes
Discontinue, set replacedBy, toggle unlisted	yes	yes
Retract / un-retract a version	yes	yes
Delete own package	yes	—
View activity log	yes	yes
Delete any package or version	—	yes
Re-score a version	—	yes
Regenerate dartdoc	—	yes

Package Options

Discontinue, unlist, and replacedBy are all set through the same endpoint:

PUT /api/packages/<pkg>/options
Content-Type: application/json

{
  "isDiscontinued": true,
  "replacedBy": "new_package",
  "isUnlisted": false
}

Omit a field to leave it unchanged.

Discontinue

Marks the package as no longer maintained. It remains downloadable but shows a clear banner in the web UI and surfaces a hint in dart pub.

PUT /api/packages/old_package/options
{ "isDiscontinued": true, "replacedBy": "new_package" }

See Discontinuing a Package for the full walkthrough, replacedBy semantics, and reversal.

Unlist

Unlisting hides the package from search and browse listings while keeping it fully downloadable for anyone who knows the name.

PUT /api/packages/internal_tool/options
{ "isUnlisted": true }

See Unlisting a Package for when to prefer unlist vs discontinue vs retract.

Version Retraction

Retraction is the soft alternative to deletion. A retracted version:

• Remains downloadable (existing pubspec.lock files keep resolving).
• Is excluded from resolution for new consumers (Dart SDK ≥ 2.15).
• Shows a retracted badge in the UI.

PUT /api/packages/<pkg>/versions/<v>/options
Content-Type: application/json

{ "isRetracted": true }

Un-retract with { "isRetracted": false }.

7-day windows are enforced by default

club follows the pub.dev policy: a version can only be retracted within 7 days of publishing, and restored within 7 days of retraction. Requests outside the window return 409 Conflict. Set ENFORCE_RETRACTION_WINDOW=false on the server to relax this on a private registry.

See Retracting a Version for the full flow, solver behaviour, and migration guidance for consumers of a retracted dependency.

Managing Uploaders

For uploader-owned packages, the uploader list controls who can push new versions and perform package administration. While a publisher is set the uploader list is not consulted; publisher membership governs access instead.

Add an uploader

PUT /api/packages/<pkg>/uploaders/<email>

Remove an uploader

DELETE /api/packages/<pkg>/uploaders/<email>

The last uploader cannot be removed — DELETE /api/packages/<pkg>/uploaders/<email> rejects the request when only one uploader remains, so every package always has at least one uploader on record.

List uploaders

GET /api/packages/<pkg>/uploaders

Setting or Clearing a Publisher

Package ownership can be handed to a publisher (see Publishers):

PUT /api/packages/<pkg>/publisher
{ "publisherId": "mycompany" }

Clear it back to uploader-only ownership with:

PUT /api/packages/<pkg>/publisher
{ "publisherId": null }

Setting a publisher does not delete the existing uploader rows, but while a publisher is set those uploaders no longer have effective access: permission checks for a publisher-owned package consult publisher membership only. If the publisher is later cleared, the package returns to uploader ownership; if no uploaders remain, the server adds the user who cleared it so the package is never orphaned.

Deleting Your Own Package

Any uploader (or publisher admin) can delete the whole package and all its versions:

DELETE /api/packages/<pkg>

Danger

Deletion is irreversible. All versions, metadata, scoring data, and archives are removed. Prefer discontinuing or unlisting unless you are sure.

Activity Log

Every package keeps an append-only activity log accessible to its uploaders, publisher admins, and server admins:

GET /api/packages/<pkg>/activity-log

It records events such as:

• Version published
• Version retracted / un-retracted
• Package discontinued / un-discontinued
• Package unlisted / re-listed
• Uploader added / removed
• Publisher set / cleared
• Package or version deleted

Each entry carries a timestamp, actor, event kind, summary, and the affected version (when applicable).

Admin-Only Operations

The following endpoints require the server admin role (or owner).

Delete any package or version

DELETE /api/admin/packages/<pkg>
DELETE /api/admin/packages/<pkg>/versions/<v>

Re-score a version

Re-queues a specific version for pana analysis — useful after upgrading the SDK or fixing scoring configuration.

POST /api/admin/packages/<pkg>/versions/<v>/rescore

See Package Scoring for the full flow.

Regenerate dartdoc

POST /api/admin/packages/<pkg>/regenerate-docs

The API server serves the regenerated docs once the job completes.