Publishing existing package overrides existing package to 0 bytes file

Describe the bug When trying to publish a package that already exists it says “npm ERR! publish fail Cannot publish over existing version.” But at the same time, something fails at the server and the existing file turns into a 0 bytes size file.

It doesn’t happen all the time, but it happens.

To Reproduce Steps to reproduce the behavior:

1. Try publishing a bunch of tgz packed packages with the command “npm publish xxxx.tgz” . (that already exist). I added a file at the bottom with some tgzs and script to execute it fast
2. get inside the server’s storage place and execute command “find -iname *.tgz -type f -size -1c”. It will show you all tgz files under 1 byte.
3. Try installing the package you found and you’ll get integrity error (0 bytes).

Expected behavior Expected the package to not get overwritten.

Screenshots Found files that are 0 bytes. Let’s look at the debug package.

Found in the logs a error that appers only on package that have been destroyed. It is marked

Docker || Kubernetes (please complete the following information):

• Openshift
• Docker - verdaccio:3.10.1

Configuration File (cat ~/.config/verdaccio/config.yaml)

# path to a directory with all packages
storage: ./storage

auth:
  htpasswd:
    file: ./htpasswd
    # Maximum amount of users allowed to register, defaults to "+inf".
    # You can set this to -1 to disable registration.
    #max_users: 1000

# a list of other known repositories we can talk to



packages:
  '@*/*':
    # scoped packages
    access: $all
    publish: $all

  '**':
    # allow all users (including non-authenticated users) to read and
    # publish all packages
    #
    # you can specify usernames/groupnames (depending on your auth plugin)
    # and three keywords: "$all", "$anonymous", "$authenticated"
    access: $all

    # allow all known users to publish packages
    # (anyone can register by default, remember?)
    publish: $all

    # if package is not available locally, proxy requests to 'npmjs' registry


# To use `npm audit` uncomment the following section
middlewares:
  audit:
    enabled: true

# log settings
logs:
  - {type: stdout, format: pretty, level: http}
  #- {type: file, path: verdaccio.log, level: info}

Debugging output Logs at the pictures.

Additional context adding a file with some packages for you to try. packages-demo.zip

1. Upload them all with the script.bat inside
2. Run the script.bat again
3. Look inside the server for 0 bytes packages.