Private NPM package @atlassian/repo-feature-flags required by a bunch of popular public atlaskit packages

Hi there,

I noticed that a bunch of atlaskit packages recently started relying on @atlassian/repo-feature-flags, which is a private package. These other packages subsequently fail to install.

That package is dependend upon by @atlaskit/enforce-peer-dependencies since version 1.0.2, released ~21 hours ago at this point.

This breaks all newer package versions depending on @atlaskit/enforce-peer-dependencies, which currently include:

The error message generated by npm (for SEO):

npm ERR! code E404
npm ERR! 404 Not Found - GET - Not found
npm ERR! 404
npm ERR! 404  '@atlassian/repo-feature-flags@*' is not in this registry.

The error message generated by yarn (v1):

error Couldn't find package "@atlassian/repo-feature-flags@*" required by "@atlaskit/enforce-peer-dependencies@^1.0.1" on the "npm" registry.

As a workaround, you can pin @atlaskit/enforce-peer-dependencies to version 1.0.1, which does not have the dependency on the private package yet.

You can either use the resolutions field in your package.json (recommended):

"resolutions": {
    "@atlaskit/enforce-peer-dependencies": "1.0.1"

Or manually adjust the versions in your lockfile

Atlassian: Could you please remove the references to the private package from public atlaskit packages again :slight_smile:?

Tobi from resolution



oOOo oOOo

We also came to the same workaround, after much head scratching. Couple of hours down the drain!


Hi Everybody,

Thank you for bringing this to our attention and we are really sorry for the inconvenience.

We have the team in charge looking at this right now and hopefully we will get a fix out soon.

Thank you for your patience and we will post another update once the fix is out.


I wonder if the team could treat this as an incident, including a write-up to explain to their customers what went wrong and what measures they’re putting in place to make sure it doesn’t happen again.
It would be great if the team hung out here more too.

1 Like

Sorry for the incident. We’ve removed the private dependency and patched these affected packages. We’ll probably add a check to prevent public packages from bringing in private packages, so that it doesn’t happen again.