Why Drizzle ORM couldn't publish new releases on NPM for a month | vlt /vōlt/<br>Doubling down on our open source pledge

Menu<br>June 23rd, 2026Why Drizzle ORM couldn't publish new releases on NPM for a month<br>Drizzle ORM recently hit a 100 MB limit in the npm registry and couldn't ship new releases for weeks. What is this limit?

Evert PotEvert Pot

svg]:px-2.5 inline-flex gap-1" data-slot="button" data-variant="ghost" data-size="sm" href="https://bsky.app/profile/evertpot.com">svg]:px-2.5 inline-flex gap-1" data-slot="button" data-variant="ghost" data-size="sm" href="https://github.com/evert">svg]:px-2.5 inline-flex gap-1" data-slot="button" data-variant="ghost" data-size="sm" href="https://www.linkedin.com/in/evert-pot">

svg]:pointer-events-none [&>svg]:size-3 text-foreground [a&]:hover:bg-accent [a&]:hover:text-accent-foreground capitalize">registrysvg]:pointer-events-none [&>svg]:size-3 text-foreground [a&]:hover:bg-accent [a&]:hover:text-accent-foreground capitalize">packages<br>Share

On June 4th the Drizzle ORM team published on Twitter that they were no<br>longer able to publish new releases to NPM due to running into a 100 MB<br>limit for 'packuments'.

— Drizzle ORM (@DrizzleORM)<br>June 4, 2026

This eventually got resolved with the help of NPM support by deleting a number of<br>unused older versions.

There was some confusion in the replies to the tweets, and since it's not the<br>first time we've seen this issue crop up, we thought it might be interesting<br>to explain what this limit is, how we got here and some steps you can take to avoid<br>running into this.

Manifests

When you run npm publish in your project and you've successfully<br>authenticated, the client submits the package and its metadata to the registry.

This is a big JSON object that contains:

A copy of your package.json.

A base64 encoded tarball.

A bunch of metadata

The registry annotates that package.json with some extra meta-data for<br>security and other reasons, and now calls it a 'manifest'. This manifest<br>is available on the registry after publishing. For example, here's a link to a<br>manifest of a recent Drizzle release:

https://registry.npmjs.org/drizzle-orm/0.45.2

It mostly looks like a package.json file. Notably this is a pretty large<br>example due to drizzle having a lot of individual ESM exports. It clocks in<br>at 131 KB , which is one of the bigger ones I've seen.

Packuments

NPM was originally built on CouchDB, which is a document store (a kind of<br>database that's more like a big key value store than a table with rows,<br>columns and queries).

For the NPM CLI to be able to find out about all versions of a package the<br>decision was made to create a new kind of document that has metadata about<br>the entire package and all its versions. This is called a 'packument'.

The packument is automatically updated by the registry, and actually<br>contains all the manifests of every version ever released. For example, you<br>can take a look at this packument of React here:

https://registry.npmjs.org/react

This is 6MB, which is not bad for its 2,841 published versions. The registry<br>makes an effort to strip out some unneeded elements from the<br>manifest/package.json before adding it to the packument, but it keeps<br>all the exports.

The 100 MB limit.

These packuments are always downloaded in full whenever you install a new<br>package (e.g.: not from a lockfile). So it made sense to set a sensible<br>upper limit for how large they can be, and 100 MB was chosen (before<br>compression). This limit in itself feels reasonable given how often it<br>gets downloaded, to prevent abuse and given that it might be passed to<br>JSON.parse() by all kinds of tools.

But you can easily see then that at Drizzle's 131 KB per release, it only<br>takes about 763 releases to max out. It also seems that Drizzle recently<br>started automatically publishing snapshot releases straight from git<br>commits, which made them run into this limit even quicker.

Once that limit is reached, the NPM registry will simply refuse any new versions<br>from being published.

A long time ago it would have been possible for them to simply delete<br>old or uninteresting versions, but NPM now prevents versions from being deleted<br>after 72 hours of when it was published to help with security and<br>maintaining stability in the ecosystem.

The only option Drizzle had was to try to get in touch with the (small and<br>understaffed) NPM team at Github so they could delete packages on their behalf,<br>which took a while.

Is my project at risk of hitting this limit?

Run the following command (replacing the package name) to see the size of<br>your packument currently:

curl -s https://registry.npmjs.org/react | wc -c | awk '{printf "%.2f MiB\n", $1/1024/1024}'

How can I avoid large manifests?

Probably the top suggestion we'd make is don't publish all your dev builds.

Most of your users will never care about these and they will<br>perpetually contribute to the total download size of every future fresh<br>install ever, which not only slows it down, it's also...