| Maven Central |
No (immutable) |
Immutability policy: once released, artifacts aren’t altered; publish a new version instead (policy). Malware exceptions are handled via removal workflows (malware guidance, removal guide). |
| Google Maven |
Not publicly documented as mutable |
Used alongside Maven Central in Android builds; no public post-publish overwrite policy — treat releases as immutable (Android docs, repo index). |
| JitPack |
Yes, for 7 days |
Public artifacts can be rebuilt/removed for 7 days, then frozen (immutability, API “7 days”). |
| JCenter (historical) |
Read-only now |
Sunset; no new versions. |
| GitHub Packages (Maven/npm) |
Varies |
Delete/restore supported across registries (GH docs, REST API). Behavior depends on registry & org policy. |
| npm Registry |
Versions immutable |
Registry data is immutable (no code/metadata edits after publish) with controlled unpublish (policy, CLI). Dist-tags are mutable (e.g., latest) — can re-point tags (dist-tag docs). Reproducibility via lockfiles/integrity (package-lock, npm ci). |
| PyPI |
No overwrite |
No filename reuse — to change bits, publish a new version (help). |
| NuGet.org |
No overwrite |
Push of duplicate ID+version is rejected (409) — unlist/deprecate instead (delete/unlist policy, FAQ on immutability/signing, 409 evidence). |
| Docker Hub |
Tags mutable; digests immutable |
Pin by digest for immutability (digest explainer, pull by digest). Docker Content Trust retired (announcement). |
| GHCR |
Tags mutable; digests immutable |
Standard OCI semantics. Delete/restore supported (GH docs). |
| Quay.io |
Tags mutable; digests immutable |
Tags can be moved/edited (tag ops / Red Hat docs); Clair vuln scanning (overview, Clair project). |
| Amazon ECR Public |
Tags mutable by default; digests immutable |
Pull by digest (docs). Private ECR repos support tag immutability policies (docs, create repo option). |