New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

npmjs.org tells me that left-pad is not available (404 page) #4

Closed
silkentrance opened this Issue Mar 22, 2016 · 193 comments

Comments

Projects
None yet
@silkentrance

When building projects on travis, or when searching for left-pad on npmjs.com, both will report that the package cannot be found.

Here is an excerpt from the travis build log

npm ERR! Linux 3.13.0-40-generic
npm ERR! argv "/home/travis/.nvm/versions/node/v4.2.2/bin/node" "/home/travis/.nvm/versions/node/v4.2.2/bin/npm" "install"
npm ERR! node v4.2.2
npm ERR! npm  v2.14.7
npm ERR! code E404
npm ERR! 404 Registry returned 404 for GET on https://registry.npmjs.org/left-pad
npm ERR! 404 
npm ERR! 404 'left-pad' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 It was specified as a dependency of 'line-numbers'
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
npm ERR! Please include the following file with any support request:
npm ERR!     /home/travis/build/coldrye-es/pingo/npm-debug.log
make: *** [deps] Error 1

And here is the standard npmjs.com error page https://www.npmjs.com/package/left-pad

However, if I remove left-pad from my local npm cache and then reinstall it using npm it will happily install left-pad@0.0.4.

@tonytamps

This comment has been minimized.

Show comment
Hide comment
@tonytamps

tonytamps Mar 22, 2016

according to https://registry.npmjs.org/left-pad

unpublished: {
  name: "azer",
  time: "2016-03-22T21:27:15.696Z",
  ...
}

It's causing Babel to fail installation

according to https://registry.npmjs.org/left-pad

unpublished: {
  name: "azer",
  time: "2016-03-22T21:27:15.696Z",
  ...
}

It's causing Babel to fail installation

@silkentrance silkentrance changed the title from npmjs.org tells me that left-pad is not available to npmjs.org tells me that left-pad is not available (404 page) Mar 22, 2016

@silkentrance

This comment has been minimized.

Show comment
Hide comment
@silkentrance

silkentrance Mar 22, 2016

@tonytamps thanks for pointing this out

@azer why? this will break babel based builds on travis...

@tonytamps thanks for pointing this out

@azer why? this will break babel based builds on travis...

@Baggz

This comment has been minimized.

Show comment
Hide comment
@Baggz

Baggz Mar 22, 2016

I'm having the same issue.

Baggz commented Mar 22, 2016

I'm having the same issue.

@jagthedrummer

This comment has been minimized.

Show comment
Hide comment
@jagthedrummer

jagthedrummer Mar 22, 2016

Yep, I'm having the same problem.

Yep, I'm having the same problem.

@Baggz

This comment has been minimized.

Show comment
Hide comment
@Baggz

Baggz Mar 22, 2016

Seems like https://www.npmjs.com/package/left-pad is up again, but no versions published.

image

Baggz commented Mar 22, 2016

Seems like https://www.npmjs.com/package/left-pad is up again, but no versions published.

image

@OllieJennings

This comment has been minimized.

Show comment
Hide comment
@OllieJennings

OllieJennings Mar 22, 2016

@tonytamps it seems like the registry has updated weirdly

{
  "_id": "left-pad",
  "_rev": "12-29db2b53680e1c66ee1acc89502fe1b0",
  "name": "left-pad",
  "time": {
    "modified": "2016-03-22T21:42:18.002Z",
    "created": "2014-03-14T09:09:20.762Z",
    "0.0.0": "2014-03-14T09:09:20.762Z",
    "0.0.1": "2014-08-14T03:31:03.146Z",
    "0.0.2": "2014-08-15T07:13:09.056Z",
    "0.0.3": "2014-08-15T07:14:44.360Z",
    "0.0.4": "2015-05-20T04:04:04.473Z",
    "1.0.0": "2016-03-22T21:42:18.002Z",
    "unpublished": {
      "name": "westlac",
      "time": "2016-03-22T21:47:25.250Z",
      "tags": {
        "latest": "1.0.0"
     },

@tonytamps it seems like the registry has updated weirdly

{
  "_id": "left-pad",
  "_rev": "12-29db2b53680e1c66ee1acc89502fe1b0",
  "name": "left-pad",
  "time": {
    "modified": "2016-03-22T21:42:18.002Z",
    "created": "2014-03-14T09:09:20.762Z",
    "0.0.0": "2014-03-14T09:09:20.762Z",
    "0.0.1": "2014-08-14T03:31:03.146Z",
    "0.0.2": "2014-08-15T07:13:09.056Z",
    "0.0.3": "2014-08-15T07:14:44.360Z",
    "0.0.4": "2015-05-20T04:04:04.473Z",
    "1.0.0": "2016-03-22T21:42:18.002Z",
    "unpublished": {
      "name": "westlac",
      "time": "2016-03-22T21:47:25.250Z",
      "tags": {
        "latest": "1.0.0"
     },

@camwest

This comment has been minimized.

Show comment
Hide comment
@camwest

camwest Mar 22, 2016

Contributor

Yeah I published a 1.0.0 to try to resolve the dependency. It looks like someone (not me) completely removed left-pad from the npm registry

Contributor

camwest commented Mar 22, 2016

Yeah I published a 1.0.0 to try to resolve the dependency. It looks like someone (not me) completely removed left-pad from the npm registry

@jagthedrummer

This comment has been minimized.

Show comment
Hide comment
@jagthedrummer

jagthedrummer Mar 22, 2016

Is there a way to get all the old versions back again? In my project it's at the end of a fairly long dependency chain...

Is there a way to get all the old versions back again? In my project it's at the end of a fairly long dependency chain...

@camwest

This comment has been minimized.

Show comment
Hide comment
@camwest

camwest Mar 22, 2016

Contributor

@azer would know better why it was unpublished (assuming he was the one to unpublish it)

Contributor

camwest commented Mar 22, 2016

@azer would know better why it was unpublished (assuming he was the one to unpublish it)

@jmcriffey

This comment has been minimized.

Show comment
Hide comment
@jmcriffey

jmcriffey Mar 22, 2016

@camwest The package line-numbers is pinned to 0.0.3 specifically, so you'll need to publish that version or someone will have to summon the creator of line-numbers.

@camwest The package line-numbers is pinned to 0.0.3 specifically, so you'll need to publish that version or someone will have to summon the creator of line-numbers.

@silkentrance

This comment has been minimized.

Show comment
Hide comment
@silkentrance

silkentrance Mar 22, 2016

Just tried replacing the travis version of npm which is fairly old by a the latest and see what it will do

npm ERR! Linux 3.13.0-40-generic
npm ERR! argv "/home/travis/.nvm/versions/node/v4.2.2/bin/node" "/home/travis/.nvm/versions/node/v4.2.2/bin/npm" "install"
npm ERR! node v4.2.2
npm ERR! npm  v3.8.2
npm ERR! No compatible version found: left-pad@0.0.3
npm ERR! Valid install targets:
npm ERR! 0.0.9
npm ERR! 
npm ERR! 
npm ERR! If you need help, you may report this error at:
npm ERR!     <https://github.com/npm/npm/issues>
npm ERR! Please include the following file with any support request:
npm ERR!     /home/travis/build/coldrye-es/pingo/npm-debug.log
make: *** [deps] Error 1

It will now tell me that there is a version 0.0.9... weird.

Will not try to install that one, though, with all the malware going around...

Just tried replacing the travis version of npm which is fairly old by a the latest and see what it will do

npm ERR! Linux 3.13.0-40-generic
npm ERR! argv "/home/travis/.nvm/versions/node/v4.2.2/bin/node" "/home/travis/.nvm/versions/node/v4.2.2/bin/npm" "install"
npm ERR! node v4.2.2
npm ERR! npm  v3.8.2
npm ERR! No compatible version found: left-pad@0.0.3
npm ERR! Valid install targets:
npm ERR! 0.0.9
npm ERR! 
npm ERR! 
npm ERR! If you need help, you may report this error at:
npm ERR!     <https://github.com/npm/npm/issues>
npm ERR! Please include the following file with any support request:
npm ERR!     /home/travis/build/coldrye-es/pingo/npm-debug.log
make: *** [deps] Error 1

It will now tell me that there is a version 0.0.9... weird.

Will not try to install that one, though, with all the malware going around...

@RongxinZhang

This comment has been minimized.

Show comment
Hide comment
@RongxinZhang

RongxinZhang Mar 22, 2016

+1 same issue here.

+1 same issue here.

@OllieJennings

This comment has been minimized.

Show comment
Hide comment
@OllieJennings

OllieJennings Mar 22, 2016

@RongxinZhang try and use the new GitHub reactions instead of the old +1 :)

@RongxinZhang try and use the new GitHub reactions instead of the old +1 :)

@olih

This comment has been minimized.

Show comment
Hide comment
@olih

olih Mar 22, 2016

+1 same issue

olih commented Mar 22, 2016

+1 same issue

@camwest

This comment has been minimized.

Show comment
Hide comment
@camwest

camwest Mar 22, 2016

Contributor

@jmcriffey I can't publish 0.0.3 because it's already been published and removed. NPM forbids publishing a version of the same library twice.

See npm/npm-registry-couchapp#148 for context

Contributor

camwest commented Mar 22, 2016

@jmcriffey I can't publish 0.0.3 because it's already been published and removed. NPM forbids publishing a version of the same library twice.

See npm/npm-registry-couchapp#148 for context

@silkentrance

This comment has been minimized.

Show comment
Hide comment
@silkentrance

silkentrance Mar 22, 2016

@lydell is there a way to make line-numbers work again, perhaps an alternate package or by depending on left-pad@1.0.0 instead?

@lydell is there a way to make line-numbers work again, perhaps an alternate package or by depending on left-pad@1.0.0 instead?

@danteoh

This comment has been minimized.

Show comment
Hide comment
@danteoh

danteoh Mar 22, 2016

+1... this is messing things up for a lot of ppl.

danteoh commented Mar 22, 2016

+1... this is messing things up for a lot of ppl.

@camwest

This comment has been minimized.

Show comment
Hide comment
@camwest

camwest Mar 22, 2016

Contributor

See lydell/line-numbers#3

This pull request needs to be merged and line-numbers needs to be republished

Contributor

camwest commented Mar 22, 2016

See lydell/line-numbers#3

This pull request needs to be merged and line-numbers needs to be republished

@tomcat90

This comment has been minimized.

Show comment
Hide comment
@tomcat90

tomcat90 Mar 22, 2016

+1 Also broke my stuff

+1 Also broke my stuff

@phamcharles

This comment has been minimized.

Show comment
Hide comment

Same

@anauleau

This comment has been minimized.

Show comment
Hide comment
@anauleau

anauleau Mar 22, 2016

Same - broke my build

Same - broke my build

@laurelnaiad

This comment has been minimized.

Show comment
Hide comment
@laurelnaiad

laurelnaiad Mar 22, 2016

This kind of just broke the internet.

This kind of just broke the internet.

@vhmth

This comment has been minimized.

Show comment
Hide comment
@vhmth

vhmth Mar 22, 2016

It broked our build. Halp pl0x. Demo video for investors needs deploy soon. :-)

vhmth commented Mar 22, 2016

It broked our build. Halp pl0x. Demo video for investors needs deploy soon. :-)

@laurelnaiad

This comment has been minimized.

Show comment
Hide comment
@laurelnaiad

laurelnaiad Mar 22, 2016

My build wants version 0.0.3 back or else it's going to hold me hostage. npm reports the only valid install target is 0.0.9

My build wants version 0.0.3 back or else it's going to hold me hostage. npm reports the only valid install target is 0.0.9

@yentsun

This comment has been minimized.

Show comment
Hide comment
@yentsun

yentsun Mar 22, 2016

was about to deploy after weeks of work (to demonstrate to the client) and bam - this issue.

yentsun commented Mar 22, 2016

was about to deploy after weeks of work (to demonstrate to the client) and bam - this issue.

@camwest

This comment has been minimized.

Show comment
Hide comment
@jacksonrayhamilton

This comment has been minimized.

Show comment
Hide comment
@jacksonrayhamilton

jacksonrayhamilton Mar 22, 2016

It looks like someone (not me) completely removed left-pad from the npm registry

Time to update your password / credentials?

It looks like someone (not me) completely removed left-pad from the npm registry

Time to update your password / credentials?

@jmcriffey

This comment has been minimized.

Show comment
Hide comment
@jmcriffey

jmcriffey Mar 22, 2016

@camwest Ah yeah, I forgot it won't let you republish a version. Seems like you shouldn't be able to delete a version either. The github profile @lydell says they are in Sweden so we might be out of luck until morning there.

@camwest Ah yeah, I forgot it won't let you republish a version. Seems like you shouldn't be able to delete a version either. The github profile @lydell says they are in Sweden so we might be out of luck until morning there.

@camwest

This comment has been minimized.

Show comment
Hide comment
@camwest

camwest Mar 22, 2016

Contributor

@jacksonrayhamilton I'm not the original author. When it was removed from npm I just forked this repo and republished it.

Contributor

camwest commented Mar 22, 2016

@jacksonrayhamilton I'm not the original author. When it was removed from npm I just forked this repo and republished it.

@camwest

This comment has been minimized.

Show comment
Hide comment
@camwest

camwest Mar 22, 2016

Contributor

Chatting in https://slack.babeljs.io #discussion fyi

Contributor

camwest commented Mar 22, 2016

Chatting in https://slack.babeljs.io #discussion fyi

@camwest

This comment has been minimized.

Show comment
Hide comment
@camwest

camwest Mar 22, 2016

Contributor

Emergency release of babel with line numbers dependency removed incoming soon...

Contributor

camwest commented Mar 22, 2016

Emergency release of babel with line numbers dependency removed incoming soon...

@loganfsmyth

This comment has been minimized.

Show comment
Hide comment
@loganfsmyth

loganfsmyth Mar 22, 2016

Yep, given that it's unclear when line-numbers will be updated, we're dropping the dependency from babel-code-frame for now until we have more time to resolve.

Yep, given that it's unclear when line-numbers will be updated, we're dropping the dependency from babel-code-frame for now until we have more time to resolve.

@paladox

This comment has been minimized.

Show comment
Hide comment
@paladox

paladox Mar 22, 2016

@azer or @camwest please could you re publish this repo.

paladox commented Mar 22, 2016

@azer or @camwest please could you re publish this repo.

@maxkostow

This comment has been minimized.

Show comment
Hide comment
@maxkostow

maxkostow Mar 22, 2016

You can install from github by adding left-pad to your to your package.json.

"dependencies": {
  "left-pad": "git://github.com/azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355"
}

You can install from github by adding left-pad to your to your package.json.

"dependencies": {
  "left-pad": "git://github.com/azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355"
}
@ccutch

This comment has been minimized.

Show comment
Hide comment
@ccutch

ccutch Mar 22, 2016

I made a pull request to line-numbers that is using this as a dependency if you guys want to thumb that up so he sees it lydell/line-numbers#2 i believe @camwest made one too

ccutch commented Mar 22, 2016

I made a pull request to line-numbers that is using this as a dependency if you guys want to thumb that up so he sees it lydell/line-numbers#2 i believe @camwest made one too

@ccutch

This comment has been minimized.

Show comment
Hide comment

ccutch commented Mar 22, 2016

@loganfsmyth care to use lodash? https://lodash.com/docs#padStart

@callmevlad

This comment has been minimized.

Show comment
Hide comment
@callmevlad

callmevlad Mar 23, 2016

Is there a possibility that these packages could turn malicious, and everyone who relied on them is in big trouble after their next npm install? 😨

Yes: https://news.ycombinator.com/item?id=11341006

Is there a possibility that these packages could turn malicious, and everyone who relied on them is in big trouble after their next npm install? 😨

Yes: https://news.ycombinator.com/item?id=11341006

@KoryNunn

This comment has been minimized.

Show comment
Hide comment
@KoryNunn

KoryNunn Mar 23, 2016

@drewhamlett so any module installed in the normal sudo'd global way would be able to do anything. Another good reason to use nvm.

@drewhamlett so any module installed in the normal sudo'd global way would be able to do anything. Another good reason to use nvm.

@zerkms

This comment has been minimized.

Show comment
Hide comment
@zerkms

zerkms Mar 23, 2016

@tlrobinson 2 links to the PR were more than enough, really.

zerkms commented Mar 23, 2016

@tlrobinson 2 links to the PR were more than enough, really.

@SomeoneWeird

This comment has been minimized.

Show comment
Hide comment
@SomeoneWeird

SomeoneWeird Mar 23, 2016

@drewhamlett doesn't stop it wiping out your home directory, including all your ssh keys etc (you have backups, right?)

@drewhamlett doesn't stop it wiping out your home directory, including all your ssh keys etc (you have backups, right?)

@Lana-chan

This comment has been minimized.

Show comment
Hide comment
@Lana-chan

Lana-chan Mar 23, 2016

No, let's post it again! Maybe it'll fix itself!

No, let's post it again! Maybe it'll fix itself!

@azu azu referenced this issue Mar 23, 2016

Closed

textlint is broken #175

@jacksonrayhamilton

This comment has been minimized.

Show comment
Hide comment
@jacksonrayhamilton

jacksonrayhamilton Mar 23, 2016

Here's a quick script to check if you depended on any of @azer's packages (tested with npm@2.14.7 and npm@3.7.3). If you find any, you should confirm they are still safe.

#!/usr/bin/env bash
curl https://gist.githubusercontent.com/azer/db27417ee84b5f34a6ea/raw/50ab7ef26dbde2d4ea52318a3590af78b2a21162/gistfile1.txt \
    | sed 's/^\(.*\)$/ \1@/' \
    > ~/suspicious-packages.txt \
    && npm ls \
    | grep -f ~/suspicious-packages.txt

Here's a quick script to check if you depended on any of @azer's packages (tested with npm@2.14.7 and npm@3.7.3). If you find any, you should confirm they are still safe.

#!/usr/bin/env bash
curl https://gist.githubusercontent.com/azer/db27417ee84b5f34a6ea/raw/50ab7ef26dbde2d4ea52318a3590af78b2a21162/gistfile1.txt \
    | sed 's/^\(.*\)$/ \1@/' \
    > ~/suspicious-packages.txt \
    && npm ls \
    | grep -f ~/suspicious-packages.txt
@dolkensp

This comment has been minimized.

Show comment
Hide comment
@dolkensp

dolkensp Mar 23, 2016

@tlrobinson The PR doesn't matter - npm is going to address this issue the same way they addressed long-file-paths in windows - "Not our problem, go away"

@tlrobinson The PR doesn't matter - npm is going to address this issue the same way they addressed long-file-paths in windows - "Not our problem, go away"

@orf

This comment has been minimized.

Show comment
Hide comment
@orf

orf Mar 23, 2016

Didn't they address long file paths in Windows by releasing a flat node_modules structure? That's the exact pain-staking opposite of "Not our problem, go away".

orf commented Mar 23, 2016

Didn't they address long file paths in Windows by releasing a flat node_modules structure? That's the exact pain-staking opposite of "Not our problem, go away".

@tlrobinson

This comment has been minimized.

Show comment
Hide comment
@tlrobinson

tlrobinson Mar 23, 2016

List of number of packages depending on those unpublished by @azer: https://gist.github.com/tlrobinson/05d2354a71f5491d2f5a

List of number of packages depending on those unpublished by @azer: https://gist.github.com/tlrobinson/05d2354a71f5491d2f5a

@davidmason

This comment has been minimized.

Show comment
Hide comment
@davidmason

davidmason Mar 23, 2016

Didn't really expect to spend the last hours of my day cleaning up after another's tantrum.

@aduth so you're happy to use someone's code that they shared with the world for free, and you feel that your investment of $0 entitles you to some standard of service?

Didn't really expect to spend the last hours of my day cleaning up after another's tantrum.

@aduth so you're happy to use someone's code that they shared with the world for free, and you feel that your investment of $0 entitles you to some standard of service?

@drewhamlett

This comment has been minimized.

Show comment
Hide comment
@drewhamlett

drewhamlett Mar 23, 2016

@davidmason Oh here we go again. Thanks a bunch.

@davidmason Oh here we go again. Thanks a bunch.

@deoxxa

This comment has been minimized.

Show comment
Hide comment
@deoxxa

deoxxa Mar 23, 2016

If anyone is confused about @davidmason's comment, it was in reference to a now-deleted reply. Anyone who has email notifications turned on in this thread probably has a copy in their inbox.

deoxxa commented Mar 23, 2016

If anyone is confused about @davidmason's comment, it was in reference to a now-deleted reply. Anyone who has email notifications turned on in this thread probably has a copy in their inbox.

@zombieJ

This comment has been minimized.

Show comment
Hide comment
@zombieJ

zombieJ Mar 23, 2016

Open source should not be oppressed. Though it cost others time, you have the reason to do that.

zombieJ commented Mar 23, 2016

Open source should not be oppressed. Though it cost others time, you have the reason to do that.

@joeandaverde

This comment has been minimized.

Show comment
Hide comment
@joeandaverde

joeandaverde Mar 23, 2016

@davidmason the suck it up, you didn't earn it, move on mentality contributes negatively to the validity and trustworthiness of the OSS community.

@davidmason the suck it up, you didn't earn it, move on mentality contributes negatively to the validity and trustworthiness of the OSS community.

@deoxxa

This comment has been minimized.

Show comment
Hide comment
@deoxxa

deoxxa Mar 23, 2016

@joeandaverde the "you made it, you have to support the way I use it" mentality contributes negatively to the experience of being a part of the OSS community.

deoxxa commented Mar 23, 2016

@joeandaverde the "you made it, you have to support the way I use it" mentality contributes negatively to the experience of being a part of the OSS community.

@matthew-dean

This comment has been minimized.

Show comment
Hide comment
@matthew-dean

matthew-dean Mar 23, 2016

Safe harbor just means that NPM is safe (somewhat) from prosecution even if someone hosts copyrighted works on NPM. It doesn't mean they don't have to act on behalf of trademark / copyright owners.

Safe harbor just means that NPM is safe (somewhat) from prosecution even if someone hosts copyrighted works on NPM. It doesn't mean they don't have to act on behalf of trademark / copyright owners.

@jackwanders

This comment has been minimized.

Show comment
Hide comment
@jackwanders

jackwanders Mar 23, 2016

@jacksonrayhamilton thanks for the script; I made a tweak to output the full install path for any of @azer's packages found in a project:

#!/usr/bin/env bash
curl https://gist.githubusercontent.com/azer/db27417ee84b5f34a6ea/raw/50ab7ef26dbde2d4ea52318a3590af78b2a21162/gistfile1.txt \
    | sed 's/^\(.*\)$/\/\1$/' \
    > ~/suspicious-packages.txt \
    && npm ls --parseable \
    | grep -f ~/suspicious-packages.txt

This gave me the output:

/Users/jackwanders/some-project/node_modules/babel/node_modules/babel-core/node_modules/line-numbers/node_modules/left-pad

Hopefully this might help others determine how to proceed if they are relying on any of these packages.

@jacksonrayhamilton thanks for the script; I made a tweak to output the full install path for any of @azer's packages found in a project:

#!/usr/bin/env bash
curl https://gist.githubusercontent.com/azer/db27417ee84b5f34a6ea/raw/50ab7ef26dbde2d4ea52318a3590af78b2a21162/gistfile1.txt \
    | sed 's/^\(.*\)$/\/\1$/' \
    > ~/suspicious-packages.txt \
    && npm ls --parseable \
    | grep -f ~/suspicious-packages.txt

This gave me the output:

/Users/jackwanders/some-project/node_modules/babel/node_modules/babel-core/node_modules/line-numbers/node_modules/left-pad

Hopefully this might help others determine how to proceed if they are relying on any of these packages.

@sphvn

This comment has been minimized.

Show comment
Hide comment
@sphvn

sphvn Mar 23, 2016

Surely Kik could have just spent 5 seconds to realise that the NPM package had nothing to do with anything related to them. Solid effort on notifying a bunch of people as to what happened though.

Like others have said, his code can do what he wants with it, it's open source if you wish to republish then do so, rather than complain.

sphvn commented Mar 23, 2016

Surely Kik could have just spent 5 seconds to realise that the NPM package had nothing to do with anything related to them. Solid effort on notifying a bunch of people as to what happened though.

Like others have said, his code can do what he wants with it, it's open source if you wish to republish then do so, rather than complain.

@iroy2000

This comment has been minimized.

Show comment
Hide comment
@iroy2000

iroy2000 Mar 23, 2016

Our build job caught that left-pad issues fortunately and we ended up upgrading one of our npm modules to its latest version which solve the problem, and my co-worker just swear in the team chatroom :)

Our build job caught that left-pad issues fortunately and we ended up upgrading one of our npm modules to its latest version which solve the problem, and my co-worker just swear in the team chatroom :)

@thesoftwarejedi

This comment has been minimized.

Show comment
Hide comment
@thesoftwarejedi

thesoftwarejedi Mar 23, 2016

This is a great example of why decentralizing the package hosting can solve the problem. If package hosting were done via a technology such as zeronet and torrents, this could be entirely avoided.

I'll be looking into this in the coming months.

This is a great example of why decentralizing the package hosting can solve the problem. If package hosting were done via a technology such as zeronet and torrents, this could be entirely avoided.

I'll be looking into this in the coming months.

@stevemao

This comment has been minimized.

Show comment
Hide comment
@stevemao

stevemao Mar 23, 2016

Owner

@azer transfer the module to me please 😄 since I'm the only other author of the module 😀

Owner

stevemao commented Mar 23, 2016

@azer transfer the module to me please 😄 since I'm the only other author of the module 😀

@azer

This comment has been minimized.

Show comment
Hide comment
@azer

azer Mar 23, 2016

Collaborator

@stevemao is the new owner of the module, not sure how he can take the npm ownership.

Collaborator

azer commented Mar 23, 2016

@stevemao is the new owner of the module, not sure how he can take the npm ownership.

@widnyana widnyana referenced this issue Mar 23, 2016

Closed

npm leftpad #13

@stevemao

This comment has been minimized.

Show comment
Hide comment
@stevemao

stevemao Mar 23, 2016

Owner

Thanks @azer 👍

Owner

stevemao commented Mar 23, 2016

Thanks @azer 👍

@parro-it parro-it referenced this issue Mar 23, 2016

Merged

adds pad-left #9

@xzer

This comment has been minimized.

Show comment
Hide comment
@xzer

xzer Mar 23, 2016

Thanks @azer, you did right thing which makes us understand how the npm is dangerous to us, open source developers. You did perfect warning to all the world to tell us do not trust the bullshit npm any more.

To be honest, great work!

xzer commented Mar 23, 2016

Thanks @azer, you did right thing which makes us understand how the npm is dangerous to us, open source developers. You did perfect warning to all the world to tell us do not trust the bullshit npm any more.

To be honest, great work!

@isaacs

This comment has been minimized.

Show comment
Hide comment
@isaacs

isaacs Mar 23, 2016

@KoryNunn @SomeoneWeird @zerkms @drewhamlett If you run npm as root, it'll process.setuid() to a nobody user. https://docs.npmjs.com/misc/scripts#user

isaacs commented Mar 23, 2016

@KoryNunn @SomeoneWeird @zerkms @drewhamlett If you run npm as root, it'll process.setuid() to a nobody user. https://docs.npmjs.com/misc/scripts#user

@KoryNunn

This comment has been minimized.

Show comment
Hide comment
@KoryNunn

KoryNunn Mar 23, 2016

@isaacs that is really good. There are however many other malicious things that can be done without sudo, like grabbing private keys.

@isaacs that is really good. There are however many other malicious things that can be done without sudo, like grabbing private keys.

@winterbe

This comment has been minimized.

Show comment
Hide comment
@winterbe

winterbe Mar 23, 2016

I don't wanna imagine what happens when tomorrow someone trademarks Lodash and wreaks havoc. 💥

Maybe it's time to add an exclusion clause to Open Source licenses for companies like Kik?

BTW: Ask one of 80 million germans about Kik and they'll recognize a completely different company.

I don't wanna imagine what happens when tomorrow someone trademarks Lodash and wreaks havoc. 💥

Maybe it's time to add an exclusion clause to Open Source licenses for companies like Kik?

BTW: Ask one of 80 million germans about Kik and they'll recognize a completely different company.

@azer

This comment has been minimized.

Show comment
Hide comment
@azer

azer Mar 23, 2016

Collaborator

@f teşekkür ederim anlayışın ve desteğin için Fatih :)

Collaborator

azer commented Mar 23, 2016

@f teşekkür ederim anlayışın ve desteğin için Fatih :)

@tjacobs

This comment has been minimized.

Show comment
Hide comment
@tjacobs

tjacobs Mar 23, 2016

This is why Docker exists. Because dependency management is trouble. Pack it all into one package. Do we need a Docker for JS?

tjacobs commented Mar 23, 2016

This is why Docker exists. Because dependency management is trouble. Pack it all into one package. Do we need a Docker for JS?

@azer azer closed this Mar 23, 2016

Repository owner locked and limited conversation to collaborators Mar 23, 2016

@stevemao

This comment has been minimized.

Show comment
Hide comment
@stevemao

stevemao May 1, 2016

Owner

1.1.0 is released :)

Owner

stevemao commented May 1, 2016

1.1.0 is released :)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.