NPM registry prank leaves developers unable to unpublish packages
- 28
- 56
Top Poster of the Day:
Sasanka_of_Gauda
Current Registered Users: 26,836
tech/science swag.
Guidelines:
What to Submit
On-Topic: Anything that good slackers would find interesting. That includes more than /g/ memes and slacking off. If you had to reduce it to a sentence, the answer might be: anything that gratifies one's intellectual laziness.
Off-Topic: Most stories about politics, or crime, or sports, unless they're evidence of some interesting new phenomenon. Videos of pratfalls or disasters, or cute animal pictures. If they'd cover it on TV news, it's probably lame.
Help keep this hole healthy by keeping drama and non-drama balanced. If you see too much drama, post something that isn't dramatic. If there isn't enough drama and this hole has become too boring, POST DRAMA!
In Submissions
Please do things to make titles stand out, like using uppercase or exclamation points, or saying how great an article is. It should be explicit in submitting something that you think it's important.
Please don't submit the original source. If the article is behind a paywall, just post the text. If a video is behind a paywall, post a magnet link. Fuck journos.
Please don't ruin the hole with chudposts. It isn't funny and doesn't belong here. THEY WILL BE MOVED TO /H/CHUDRAMA
If the title includes the name of the site, please leave that in, because our users are too stupid to know the difference between a url and a search query.
If you submit a video or pdf, please don't warn us by appending [video] or [pdf] to the title. That would be r-slurred. We're not using text-based browsers. We know what videos and pdfs are.
Make sure the title contains a gratuitous number or number + adjective. Good clickbait titles are like "Top 10 Ways to do X" or "Don't do these 4 things if you want X"
Otherwise editorialize. Please don't use the original title, unless it is gay or r-slurred, or you're shits all fucked up.
If you're going to post old news (at least 1 year old), please flair it so we can mock you for living under a rock, or don't and we'll mock you anyway.
Please don't post on SN to ask or tell us something. Send it to [email protected] instead.
If your post doesn't get enough traction, try to delete and repost it.
Please don't use SN primarily for promotion. It's ok to post your own stuff occasionally, but the primary use of the site should be for curiosity. If you want to astroturf or advertise, post on news.ycombinator.com instead.
Please solicit upvotes, comments, and submissions. Users are stupid and need to reminded to vote and interact. Thanks for the gold, kind stranger, upvotes to the left.
In Comments
Be snarky. Don't be kind. Have fun banter; don't be a dork. Please don't use big words like "fulminate". Please sneed at the rest of the community.
Comments should get more enlightened and centrist, not less, as a topic gets more divisive.
If disagreeing, please reply to the argument and call them names. "1 + 1 is 2, not 3" can be improved to "1 + 1 is 3, not 2, mathfaggot"
Please respond to the weakest plausible strawman of what someone says, not a stronger one that's harder to make fun of. Assume that they are bad faith actors.
Eschew jailbait. Paedophiles will be thrown in a wood chipper, as pertained by sitewide rules.
Please post shallow dismissals, especially of other people's work. All press is good press.
Please use Slacker News for political or ideological battle. It tramples weak ideologies.
Please comment on whether someone read an article. If you don't read the article, you are a cute twink.
Please pick the most provocative thing in an article or post to complain about in the thread. Don't nitpick stupid crap.
Please don't be an unfunny chud. Nobody cares about your opinion of X Unrelated Topic in Y Unrelated Thread. If you're the type of loser that belongs on /h/chudrama, we may exile you.
Sockpuppet accounts are encouraged, but please don't farm dramakarma.
Please use uppercase for emphasis.
Please post deranged conspiracy theories about astroturfing, shilling, bots, brigading, foreign agents and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email [email protected] and dang will add you to their spam list.
Please don't complain that a submission is inappropriate. If a story is spam or off-topic, report it and our moderators will probably do nothing about it. Feed egregious comments by replying instead of flagging them like a pussy. Remember: If you flag, you're a cute twink.
Please don't complain about tangential annoyances—things like article or website formats, name collisions, or back-button breakage. That's too boring, even for HN users.
Please seethe about how your posts don't get enough upvotes.
Please don't post comments saying that rdrama is turning into ruqqus. It's a nazi dogwhistle, as old as the hills.
Miscellaneous:
We reserve the right to exile you for whatever reason we want, even for no reason at all! We also reserve the right to change the guidelines at any time, so be sure to real them at least once a month. We also reserve the right to ignore enforcement of the guidelines at the discretion of the janitorial staff. Be funny, or at least compelling, and pretty much anything legal is welcome provided it's on-topic, and even then.
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
/h/slackernews LOG /h/slackernews MODS /h/slackernews EXILEES /h/slackernews FOLLOWERS /h/slackernews BLOCKERS
Jump in the discussion.
No email address required.
Oh wow a NPM vulnerability. Truly a day ending .
Jump in the discussion.
No email address required.
More options
Context
So pretty much a normal JS project? This stuff is barely parody.
Jump in the discussion.
No email address required.
More options
Context
Jump in the discussion.
No email address required.
JavaScript
Jump in the discussion.
No email address required.
boomers literally shitpost a language in 1995
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
NPMcels deserve all this and worse.
Jump in the discussion.
No email address required.
More options
Context
This website has aids
Jump in the discussion.
No email address required.
Same
Jump in the discussion.
No email address required.
ublock chads stay winning
Jump in the discussion.
No email address required.
U can't block my aids riddled peepee in ur butt
Jump in the discussion.
No email address required.
o yes i can
My people have evolved to have butthair stronger than steel and the fine musculature to be able to control it; your hog will be like a large bird trying to fly through a chain linked fence.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
Npm is a joke package manager
Jump in the discussion.
No email address required.
Javascript is a dark comedy
Jump in the discussion.
No email address required.
More options
Context
TBF, all package managers are shitty
Jump in the discussion.
No email address required.
More options
Context
More options
Context
On Dec. 29, a package titled “everything” was published to the registry, which is designed to install all other public packages in the registry. This created a registry-wide web of dependencies that effectively disabled the ability to unpublish packages on the site, as packages that other packages are dependent on cannot be unpublished.
The incident triggered responses from developers left unable to unpublish their deprecated or experimental packages, as well as criticism from some who viewed the stunt as an abuse of the open-source NPM system.
The developers behind “everything” said they did not anticipate these consequences and reached out to NPM and GitHub to resolve the issue. Ironically, the team was left unable to unpublish “everything” themselves due to a circle of dependencies that essentially made the package dependent on itself.
“We just thought it would be funny,” wrote Evan Boehs, an “everything” contributor, in response to another GitHub user's question about the project's purpose. “We did not know all this would happen.”
The “everything” package was accompanied by a “README” file stating “Please don't actually install this…” It also included a meme image of Gary Oldman from the film “Léon,” depicting a scene in which Oldman's character dramatically shouts the word “everyone.”
The “about” section of the “everything” repository also includes a link to the website “everything.npm.lol,” which displays an animation depicting numerous packages being installed followed by a meme from the video game “The Elder Scrolls V: Skyrim.”
Despite the warning to not install the package, the NPM registry site indicates “everything” was downloaded 224 times as of Jan. 3.
Jossef Harush, head of the supply chain security engineering group at Checkmarx, said in a blog post that installing “everything” would likely result in a denial of service (DoS). Harush also refers to the project as a “troll campaign.”
“I want to reiterate that we aren't trolls, we are at worst QA testers for NPM, and at best comedians and creative coders,” Boehs wrote separately in a comment on GitHub.
The sweeping effect of “everything” across the entire NPM registry exposes flaws in the NPM open-source system, argues contributor PatrickJS on GitHub, who goes by the username gdi2290 on the NPM site.
“to be clear this is an edge-case in NPM's unpublish policy which doesn't account for ‘,'” PatrickJS wrote on GitHub, referring to the star symbol that indicates a package's dependency on any and all versions of another package. PatrickJS suggested that GitHub should allow developers to unpublish a package if its dependents rely on “star versions,” or disable this use of “” altogether.
“One other thing to note while discussing this fiasco, we considered that this could have been exploited for much more malicious reasons,” said fellow contributor Boehs. “Say, if somebody accidentally uploads sensitive information, a bad actor could make packages to keep it up. It's good this was caught in this way instead of after being exploited in the wild.”
Some other developers were not convinced, expressing frustration and disapproval on the “everything” repository's issues board.
One user, Matt Lupeepee, lambasted the group for “reckless negligence” and for blaming NPM for the fallout of their project.
“You have deluded yourselves into believing that the problem isn't that you abused the registry, but that npm's unpublish rules don't hold up to someone abusing the registry in this way,” Lupeepee wrote, adding that the unpublish rules are necessary “protect the integrity of the registry.”
Nicolas Ventura, a data center engineer at Lawrence Berkeley National Lab, reported that one of his deprecated packages was impacted by the dependency issue, and said that while the project was “interesting and humorous,” it ultimately caused unnecessary problems.
“This project certainly feels like spam and the thousands of sub-packages should not have been published to the official NPM repository and are just causing clutter,” Ventura wrote. “I'm fascinated that NPM didn't flag or block any packages from being published, since many other websites, like social media has posting limits.”
The “everything” package, which has more than 3,000 sub-packages, remains published on the NPM registry as of this writing, although PatrickJS reported that GitHub was actively working to fix the issue since Tuesday night.
Lupeepee and Harush note previous instances of developers publishing NPM packages that created a stir due to the creation of registry-wide dependencies.
In 2012, the “hoarders” package, described by its creators as “node.js's most complete ‘utility grab-bag,'” created dependencies for all 20,000 modules published in the NPM registry at the time. The project received backlash and was later revised to work without creating direct dependencies to the utilities it installs.
More recently, in January 2023, a package called “no-one-left-behind” was made dependent on all other packages in the NPM registry. The package was removed by NPM, which labeled it as containing “malicious code,” although more than 33,000 subpackages of “no-one-left-behind” continued to exist, causing some difficulty.
Jump in the discussion.
No email address required.
that was such a good scene too
Jump in the discussion.
No email address required.
I want the pills he takes
Jump in the discussion.
No email address required.
if i need to get frozen a birthday present... get her pills...
Jump in the discussion.
No email address required.
bruh i permalurk and even i knew that
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
It's your fault we made an impressively broken system
Jump in the discussion.
No email address required.
More options
Context
What?
Jump in the discussion.
No email address required.
More options
Context
More options
Context
NOOOOOOOO! I. MUST. POOOOOOOOBLISH!!!!!
Jump in the discussion.
No email address required.
More options
Context
I hate when my EULA violations disrupt my systems.
Jump in the discussion.
No email address required.
More options
Context
"we are at worst QA testers for NPM"
Oh great, rogue QA testers, definitely not my worst nightmare or anything
Jump in the discussion.
No email address required.
More options
Context
NPM users get what they deserve
Jump in the discussion.
No email address required.
More options
Context
Lol I'm sure they implemented this stupid policy because of the left-pad incident. Given the stupidity of codecels in the first place and their need to import a dependency for the most trivial of tasks, the “everything” incident is probably the least bad incident which could happen to NPM.
Any software team not pulling dependencies from a private registry for their own applications/libraries should be fired.
Jump in the discussion.
No email address required.
More options
Context
Who ever user "snappy" is. He needs to be permanently banned. NO warning , banishment. Scroll down to his post on this page. It's pure bullshit. And he's posting pure gibberish.
Snapshots:
ghostarchive.org
archive.org
archive.ph (click to archive)
Jump in the discussion.
No email address required.
More options
Context