npmjs.org tells me that left-pad is not available (404 page) #4

Closed
silkentrance opened this Issue Mar 22, 2016 · 193 comments

Projects

None yet
@silkentrance

When building projects on travis, or when searching for left-pad on npmjs.com, both will report that the package cannot be found.

Here is an excerpt from the travis build log

npm ERR! Linux 3.13.0-40-generic
npm ERR! argv "/home/travis/.nvm/versions/node/v4.2.2/bin/node" "/home/travis/.nvm/versions/node/v4.2.2/bin/npm" "install"
npm ERR! node v4.2.2
npm ERR! npm  v2.14.7
npm ERR! code E404
npm ERR! 404 Registry returned 404 for GET on https://registry.npmjs.org/left-pad
npm ERR! 404 
npm ERR! 404 'left-pad' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 It was specified as a dependency of 'line-numbers'
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
npm ERR! Please include the following file with any support request:
npm ERR!     /home/travis/build/coldrye-es/pingo/npm-debug.log
make: *** [deps] Error 1

And here is the standard npmjs.com error page https://www.npmjs.com/package/left-pad

However, if I remove left-pad from my local npm cache and then reinstall it using npm it will happily install left-pad@0.0.4.

@tonytamps

according to https://registry.npmjs.org/left-pad

unpublished: {
  name: "azer",
  time: "2016-03-22T21:27:15.696Z",
  ...
}

It's causing Babel to fail installation

@silkentrance silkentrance changed the title from npmjs.org tells me that left-pad is not available to npmjs.org tells me that left-pad is not available (404 page) Mar 22, 2016
@silkentrance

@tonytamps thanks for pointing this out

@azer why? this will break babel based builds on travis...

@Baggz
Baggz commented Mar 22, 2016

I'm having the same issue.

@jagthedrummer

Yep, I'm having the same problem.

@Baggz
Baggz commented Mar 22, 2016

Seems like https://www.npmjs.com/package/left-pad is up again, but no versions published.

image

@OllieJennings

@tonytamps it seems like the registry has updated weirdly

{
  "_id": "left-pad",
  "_rev": "12-29db2b53680e1c66ee1acc89502fe1b0",
  "name": "left-pad",
  "time": {
    "modified": "2016-03-22T21:42:18.002Z",
    "created": "2014-03-14T09:09:20.762Z",
    "0.0.0": "2014-03-14T09:09:20.762Z",
    "0.0.1": "2014-08-14T03:31:03.146Z",
    "0.0.2": "2014-08-15T07:13:09.056Z",
    "0.0.3": "2014-08-15T07:14:44.360Z",
    "0.0.4": "2015-05-20T04:04:04.473Z",
    "1.0.0": "2016-03-22T21:42:18.002Z",
    "unpublished": {
      "name": "westlac",
      "time": "2016-03-22T21:47:25.250Z",
      "tags": {
        "latest": "1.0.0"
     },

@camwest
Contributor
camwest commented Mar 22, 2016

Yeah I published a 1.0.0 to try to resolve the dependency. It looks like someone (not me) completely removed left-pad from the npm registry

@jagthedrummer

Is there a way to get all the old versions back again? In my project it's at the end of a fairly long dependency chain...

@camwest
Contributor
camwest commented Mar 22, 2016

@azer would know better why it was unpublished (assuming he was the one to unpublish it)

@jmcriffey

@camwest The package line-numbers is pinned to 0.0.3 specifically, so you'll need to publish that version or someone will have to summon the creator of line-numbers.

@silkentrance

Just tried replacing the travis version of npm which is fairly old by a the latest and see what it will do

npm ERR! Linux 3.13.0-40-generic
npm ERR! argv "/home/travis/.nvm/versions/node/v4.2.2/bin/node" "/home/travis/.nvm/versions/node/v4.2.2/bin/npm" "install"
npm ERR! node v4.2.2
npm ERR! npm  v3.8.2
npm ERR! No compatible version found: left-pad@0.0.3
npm ERR! Valid install targets:
npm ERR! 0.0.9
npm ERR! 
npm ERR! 
npm ERR! If you need help, you may report this error at:
npm ERR!     <https://github.com/npm/npm/issues>
npm ERR! Please include the following file with any support request:
npm ERR!     /home/travis/build/coldrye-es/pingo/npm-debug.log
make: *** [deps] Error 1

It will now tell me that there is a version 0.0.9... weird.

Will not try to install that one, though, with all the malware going around...

@RongxinZhang

+1 same issue here.

@OllieJennings

@RongxinZhang try and use the new GitHub reactions instead of the old +1 :)

@olih
olih commented Mar 22, 2016

+1 same issue

@camwest
Contributor
camwest commented Mar 22, 2016

@jmcriffey I can't publish 0.0.3 because it's already been published and removed. NPM forbids publishing a version of the same library twice.

See npm/npm-registry-couchapp#148 for context

@silkentrance

@lydell is there a way to make line-numbers work again, perhaps an alternate package or by depending on left-pad@1.0.0 instead?

@danteoh
danteoh commented Mar 22, 2016

+1... this is messing things up for a lot of ppl.

@camwest
Contributor
camwest commented Mar 22, 2016

See lydell/line-numbers#3

This pull request needs to be merged and line-numbers needs to be republished

@tomcat90

+1 Also broke my stuff

@phamcharles

Same

@anauleau

Same - broke my build

@laurelnaiad

This kind of just broke the internet.

@vhmth
vhmth commented Mar 22, 2016

It broked our build. Halp pl0x. Demo video for investors needs deploy soon. :-)

@laurelnaiad

My build wants version 0.0.3 back or else it's going to hold me hostage. npm reports the only valid install target is 0.0.9

@yentsun
yentsun commented Mar 22, 2016

was about to deploy after weeks of work (to demonstrate to the client) and bam - this issue.

@jacksonrayhamilton

It looks like someone (not me) completely removed left-pad from the npm registry

Time to update your password / credentials?

@jmcriffey

@camwest Ah yeah, I forgot it won't let you republish a version. Seems like you shouldn't be able to delete a version either. The github profile @lydell says they are in Sweden so we might be out of luck until morning there.

@camwest
Contributor
camwest commented Mar 22, 2016

@jacksonrayhamilton I'm not the original author. When it was removed from npm I just forked this repo and republished it.

@camwest
Contributor
camwest commented Mar 22, 2016

Chatting in https://slack.babeljs.io #discussion fyi

@camwest
Contributor
camwest commented Mar 22, 2016

Emergency release of babel with line numbers dependency removed incoming soon...

@loganfsmyth

Yep, given that it's unclear when line-numbers will be updated, we're dropping the dependency from babel-code-frame for now until we have more time to resolve.

@paladox
paladox commented Mar 22, 2016

@azer or @camwest please could you re publish this repo.

@maxkostow

You can install from github by adding left-pad to your to your package.json.

"dependencies": {
  "left-pad": "git://github.com/azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355"
}
@ccutch
ccutch commented Mar 22, 2016

I made a pull request to line-numbers that is using this as a dependency if you guys want to thumb that up so he sees it lydell/line-numbers#2 i believe @camwest made one too

@ccutch
ccutch commented Mar 22, 2016

@loganfsmyth care to use lodash? https://lodash.com/docs#padStart

@kittens
kittens commented Mar 22, 2016

Published a new version of babel-code-frame as 6.7.3 that removes line-numbers. Need to backport it to v5.

@joeandaverde

The problem with "tiny modules" -- so easy to break the whole NPM ecosystem.

@yentsun
yentsun commented Mar 22, 2016

@maxkostow Thanks,

adding "left-pad": "git://github.com/azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355" to your package.json

fixed my build

@loganfsmyth loganfsmyth referenced this issue in babel/babel.github.io Mar 22, 2016
Closed

Unable to install babel 5.8.x #768

@silkentrance

@loganfsmyth @kittens thank you very much. YMMD!

@ctolkien

The problem with "tiny modules" -- so easy to break the whole NPM ecosystem.

NPM should really not allow removing of previously published versions.... surely?

@seiyria
seiyria commented Mar 22, 2016

A relevant place to bring up the npm issue is over here: npm/npm#12012

@ccutch
ccutch commented Mar 22, 2016

@ctolkien I think that this is also proving that a small issue can be fixed in a matter of minutes with open source when hundreds of people are having an issue. Definitely much better than calling your oracle rep to submit a ticket for an issue.

@camwest
Contributor
camwest commented Mar 22, 2016

FYI @isaacs

@kittens
kittens commented Mar 22, 2016

FYI Babel 6 is now fixed.

$ npm install babel-core@6
/Users/sebmck/Scratch/fuckkk
└─┬ babel-core@6.7.2
  β”œβ”€β”¬ babel-generator@6.7.2
  β”‚ β”œβ”€β”¬ detect-indent@3.0.1
  β”‚ β”‚ β”œβ”€β”€ get-stdin@4.0.1
  β”‚ β”‚ └── minimist@1.2.0
  β”‚ β”œβ”€β”€ is-integer@1.0.6
  β”‚ └── trim-right@1.0.1
  β”œβ”€β”€ babel-helpers@6.6.0
  β”œβ”€β”€ babel-messages@6.7.2
  β”œβ”€β”¬ babel-register@6.7.2
  β”‚ β”œβ”€β”€ core-js@2.2.1
  β”‚ β”œβ”€β”¬ home-or-tmp@1.0.0
  β”‚ β”‚ β”œβ”€β”€ os-tmpdir@1.0.1
  β”‚ β”‚ └── user-home@1.1.1
  β”‚ β”œβ”€β”¬ mkdirp@0.5.1
  β”‚ β”‚ └── minimist@0.0.8
  β”‚ └─┬ source-map-support@0.2.10
  β”‚   └─┬ source-map@0.1.32
  β”‚     └── amdefine@1.0.0
  β”œβ”€β”€ babel-template@6.7.0
  β”œβ”€β”¬ babel-traverse@6.7.3
  β”‚ β”œβ”€β”€ globals@8.18.0
  β”‚ └─┬ invariant@2.2.1
  β”‚   └── loose-envify@1.1.0
  β”œβ”€β”¬ babel-types@6.7.2
  β”‚ └── to-fast-properties@1.0.2
  β”œβ”€β”€ babylon@6.7.0
  β”œβ”€β”€ convert-source-map@1.2.0
  β”œβ”€β”¬ debug@2.2.0
  β”‚ └── ms@0.7.1
  β”œβ”€β”€ json5@0.4.0
  β”œβ”€β”€ lodash@3.10.1
  β”œβ”€β”¬ minimatch@2.0.10
  β”‚ └─┬ brace-expansion@1.1.3
  β”‚   β”œβ”€β”€ balanced-match@0.3.0
  β”‚   └── concat-map@0.0.1
  β”œβ”€β”€ path-exists@1.0.0
  β”œβ”€β”€ path-is-absolute@1.0.0
  β”œβ”€β”€ private@0.1.6
  β”œβ”€β”€ shebang-regex@1.0.0
  β”œβ”€β”€ slash@1.0.0
  └── source-map@0.5.3
@jacksonrayhamilton

The problem with "tiny modules" -- so easy to break the whole NPM ecosystem.

The way I see it, the problem is not the modules, but rather reliance on a centralized system.

@othiym23

A relevant place to bring up the npm issue is over here

No, that is not a relevant place to bring up the issue. This is not something over which the npm CLI maintainers have any control or responsibility. It's unfortunate that this package got unpublished, but this is the system behaving as designed.

@sheki
sheki commented Mar 22, 2016

a way to vendor npm modules would be sweet

@isaacs
isaacs commented Mar 22, 2016

The problem is reliance on other people.

If you rely on other people -- for literally anything -- then you can be surprised when they act in ways that you didn't predict.

That goes for relying on other peoples' servers, their code, their ability to show up to their jobs on time, etc.

The only way to never be surprised or inconvenienced by other people is to not rely on other people for anything. And none of us are about to do that.

@sheki https://docs.npmjs.com/files/package.json#bundleddependencies

This problem was identified and then fixed in minutes. This isn't an example of the small modules philosophy breaking; it's an example of it working.

@anauleau

Wait so what is the fix? Im still getting the error

@camwest
Contributor
camwest commented Mar 22, 2016

@anauleau upgrade to babel ^6.7.3 (you may need to clear npm cache locally)

@CliftonH

Upgrading babel isn't trivial

@loganfsmyth

@anauleau This is fixed for Babel 6.x, a fix for 5.x is incoming.

@anauleau

I am using babel 5.x, so ill wait...

@kenmazaika

The fix from @maxkostow worked for me.

@parro-it

This problem was identified and then fixed in minutes. This isn't an example of the small modules philosophy breaking; it's an example of it working.

@isaacs I completely agree with you, thanks guys!

@paulkerschen paulkerschen referenced this issue in ets-berkeley-edu/calcentral Mar 22, 2016
Merged

SISRP-16714 EdoDb: create enrolled sections query #5103

@azer
Collaborator
azer commented Mar 22, 2016

Hi all,

Sorry about this. I've unpublished all my stuff from NPM.

You can change your dependency to point to azer/left-pad.

If there is any volunteer to take over this module, I'll happily transfer the repo.

Apologizes for inconvenience.

Azer

@Thatkookooguy

haha broke my build too. this literally broke major projects like react-native πŸ˜„

facebook/react-native#6595

Seems like a lot of major projects have dependencies on this.

@kittens
kittens commented Mar 22, 2016

@azer yes, please transfer it to me.

@kittens
kittens commented Mar 22, 2016

@azer my npm username is sebmck.

@ccutch
ccutch commented Mar 22, 2016

@kittens i would be glad to help too username ccutch

@kittens
kittens commented Mar 22, 2016

wait nope, there's literally no way to fix this for older versions. you've basically broken every single version of babel. you can't republish over already published packages. babel relies on line-numbers with a fixed version and line-numbers relies on left-pad with a fixed version.

@jacksonrayhamilton

The only way to never be surprised or inconvenienced by other people is to not rely on other people for anything. And none of us are about to do that.

That's not what I was implying. The JavaScript community is library-based; of course we must and do rely on each other for almost everything.

I was implying some decentralization could make the system more reliable. For instance: If a package can't be downloaded, but is cached, install the cached version? (Maybe resolve this issue?) Or: Replicate (part of) the registry locally or onto your own server, and refuse to delete packages on your server?

@paladox
paladox commented Mar 22, 2016

@kittens the repo on npm was complety erased and re uploaded making the 0.0.3 release erased.

@parro-it

@azer I read your article on medium.
I think what happened is really sad and we should think of some sort of protection against this kind of things happening.

@joeandaverde

@azer While I'm annoyed this has wasted part of my day. I'm okay for the reasons as you've explained. Now to deal with the fallout.

@ccutch
ccutch commented Mar 22, 2016

I changed my pull request for line-numbers which is the dependency that babel uses to use lodash over this library lydell/line-numbers#2 please help get this noticed.

@kittens
kittens commented Mar 22, 2016

@ccutch that wont fix it since babel relies on it as a fixed version rather than a range

@loganfsmyth

Is there really no way to tell npm to re-publish a package that was explicitly unpublished?

@deoxxa
deoxxa commented Mar 22, 2016

@loganfsmyth there sure is - NPM Inc can step in and steal control of this module just like they did the kik module.

@tmcgee123

Forget my broken build, that's some non-sense!! @azer I totally agree, thank you for your contributions and helping the JS community grow just a little bit more, regardless of this outcome. Cheers buddy!

In my eyes, this is not a waste of time, but a learning experience on dependencies and how open source software is being effected by big companies.

@philikon

wait nope, there's literally no way to fix this. you've basically broken every single version of babel. you can't republish over already published packages.

If it's not apparent yet, but this exemplifies how NPM and much of the community's use of it is utterly broken.

@redconfetti

The Medium article, for those interested.

@kittens
kittens commented Mar 22, 2016

@tmcgee123

Forget my broken build, stick it to the man!! @azer I totally agree, thank you for your contributions and helping the JS community grow just a little bit more, regardless of this outcome. Cheers buddy!

yes, who cares about all the peoples time this is wasting am i right

@chibicode

Thanks to @maxkostow - his fix also worked for me.

npm install azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355

Add --save or --save-dev at the end to overwrite your package.json.

FYI I was deploying on Codeship but had to clear their depenency cache.

@jitendersandhu

@maxkostow

adding "left-pad": "git://github.com/azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355" to your package.json

Thanks for the fix!

@shantp
shantp commented Mar 22, 2016

Everyone check out my new npm module called dominospizzaβ„’

@kittens
kittens commented Mar 22, 2016

Managed to publish babel 5.8.36.

IF YOU HAVE YOUR VERSION FIXED THEN YOU WILL NEED TO UPDATE TO ONE OF THE FOLLOWING:

  • 6.7.2
  • 5.8.38
@alexBaizeau

So ironic that 17 lines of code breaks the internet πŸ™Œ

@ngokevin ngokevin referenced this issue in aframevr/aframe Mar 22, 2016
Merged

left-pad apocalypse (fixes #1225) #1226

@philikon

So ironic that 17 lines of code breaks the internet πŸ™Œ

https://www.youtube.com/watch?v=nT1TVSTkAXg

@jkudish
jkudish commented Mar 22, 2016

We've made a copy of 0.0.3 available for anyone who wants to point to it instead: https://github.com/Automattic/left-pad-0.0.3

Here's how we updated our shrinkwrap file to point to it: Automattic/wp-calypso@a6ab617

@camwest
Contributor
camwest commented Mar 22, 2016

I've requested from npm that they restore 0.0.3 on npm since I'm now the owner of the package...

@michaelshobbs

is left-pad 0.0.3 still being restored? doesn't seem to work yet for me.

npm ERR! argv "node" "/usr/local/bin/npm" "install" "left-pad@0.0.3"
npm ERR! node v0.12.7
npm ERR! npm  v2.11.3

npm ERR! version not found: left-pad@0.0.3
npm ERR!
npm ERR! If you need help, you may report this error at:
npm ERR!     <https://github.com/npm/npm/issues>
@joshmanders

Also as much as it sucks what happened, it's @azer's choice to do what he wants with his modules. Nobody here is entitled to them working forever, nor is he required to keep them on npm. Stop and take a step back before you start scolding him.

@matthew-dean

@joshmanders Also truth.

@ngokevin

While it's @azer's right to unpublish the modules, it is also the ecosystem's right to voice frustrations.

@loganfsmyth

@michaelshobbs My recommendation would be to upgrade your Babel version to the latest of whichever major version you are on.

@lucas-aragno

npm install azer/left-pad.git#bff80e3ef0db0bfaba7698606c4f623433d14355 worked for us.

credits to @maxkostow

@michaelshobbs

hrm, unfortunately not using babel-core. instead, we're pulling in a bunch of babel-* deps.... :(

@diffsky
diffsky commented Mar 22, 2016

This just started working for me

$ npm --registry https://registry.npmjs.org install left-pad@0.0.3
left-pad@0.0.3 node_modules/left-pad
@loganfsmyth

@michaelshobbs You've definitely got babel-core in there somewhere :) Feel free to drop by our support channel on Slack if you want more direct help.

@davidbgk

Nobody to thank @azer for these few but so heavily used lines of code. Kinda disappointing.

@loganfsmyth

Ah, and it does appear that the re-publish of 0.0.3 has been completed. Hopefully that can be the final fix.

Thank you everyone for bringing the issue to us. On the plus side, it's always nice to hear from ours users :P

@jacksonrayhamilton

While it's @azer's right to unpublish the modules, it is also the ecosystem's right to voice frustrations.

@ngokevin, rather than voicing frustrations or settling for quick fixes, we should be proposing and implementing long-term solutions, so this doesn't happen again.

@michaelshobbs

@loganfsmyth ah most likely a sub-sub-sub-dep ;P

seems to be working now. thanks!

@nijikokun

don't use simple things you could just write yourself.

@camsaul
camsaul commented Mar 22, 2016

@pippinlee getting a 404

@chibicode

Confirmed that npm install left-pad@0.0.3 is now working

image

@matthewlowry

ZOMG the list of unpublished npm modules WAS UNPUBLISHED!

@joshmanders

Prime time for pushing ES2016 usage. https://jsfeatures.in/#ES7-string-prototype-padleft

@lukebrooker

So apparently npm packages aren't hard to steal:

https://www.npmjs.com/package/kik

:trollface:

@camsaul
camsaul commented Mar 22, 2016

^ The list of unpublished npm modules was un-un-published ?

@parro-it

@lukebrooker good luck with lawyers!

@nijikokun

even if you want your code gone, someone will just put it back, lmao.

@jamietre

don't use simple things you could just write yourself.

As much fun as it would be to reinvent & retest the entire world, assuming I had no actual work to do, seems that a single incident such as this in the entire history of npm isn't a reason to just throw it all out the window...

@Lana-chan

If you want to depend on a person's work, be prepared to deal with the consequences of the person's actions over their work.

@dolkensp

@jasonroelofs Copyright law is different in every country. Company names are different in every country. I guarantee you, if you've published code, you have published to a package that is already trademarked in a country, somewhere around the world.

Personally, I think this was a very good, very strong message to send to the Open Source community. It is time for copyright reform, and it is time for companies like github, npm, etc to be protected from nonsense like this.

If KIK had an issue, they should be forced to take it up with the original repo owner. At that point, the judge should be forced to understand the impacts of "unpublishing" or "handing over" a repo.

Even "RealDonaldTrump" was forced to pick an alternative name for twitter. You don't see me stomping around because I'm older than that young whippersnapper that just registered my handle on that new social media site - You snooze, you lose.

Kik was a fairly small package, but what would you say if instead, "react" or "angular" or "handlebars" were forced to unpublish their packages, because all of those have different trademarks in different countries.

@camwest
Contributor
camwest commented Mar 23, 2016

@kittens FYI

➜  left-pad git:(master) npm owner ls left-pad
sebmck <sebmck@gmail.com>
westlac <cameron.westland@autodesk.com>
@deoxxa
deoxxa commented Mar 23, 2016

@dolkensp I'm no lawyer, but my understanding is that this is exactly what the "safe harbour" part of the DMCA is for.

@Daniel15

NPM should really not allow removing of previously published versions.... surely?

Definitely agree with this. I don't know of any other major package management system that lets you completely delete a package that has been published, other than in very rare scenarios (like a module being backdoored) where it's done manually. Neither NuGet nor Packagist allow deletion of packages, for example.

@nijikokun

@jamietre this happens all the time, same with sec issues and bugs, but ultimately you will have to face what @Lana-chan stated. To avoid this you have three ways:

  1. Self hosted npm registry
  2. Write your own module
  3. Clone & link to clone
@camwest
Contributor
camwest commented Mar 23, 2016

FYI https://github.com/camwest/left-pad is published now.

@Havvy
Havvy commented Mar 23, 2016

I'm no lawyer, but my understanding is that this is exactly what the "safe harbour" part of the DMCA is for.

Nope. "safe harbour" is only for the DMCA. "kik" package is trademark related, not copyright.

@gabehayes

12807050_10153393328364249_285322252_n

@joshmanders

@nijikokun

don't use simple things you could just write yourself.

I'll just leave this here. https://en.wikipedia.org/wiki/Unix_philosophy

@dolkensp

@deoxxa Yes, and companies should be able to confidently rely on safe harbour, instead of bending to the will of patent lawyers.

The recent Apple v FBI case is a good example of why a company like npm SHOULD be scared - there's no precedents that will guarantee that a company like npm WONT be sued, and have to waste money defending itself, and even if there were, there are too many loopholes for conniving lawyers to try and wiggle their way through.

If the clause was as clear cut as "only the original publisher of material may be prosecuted", then we wouldn't have a problem, but RIAA,MPAA would never allow that - it would cut into their bottom line too much.

@Ragzouken

so everything should be pretty good until Left Pad Inc makes a trademark claim, right?

@lukebrooker

screenshot 2016-03-23 10 11 37

Stolen back already: https://www.npmjs.com/package/kik

@SomeoneWeird

^ That is definitely not cool on NPMs part.

@Lana-chan

I think this opens a good discussion for FOSS. What if a package (assuming the dependency was to the last version, instead of a fixed revision) was edited to do something completely different instead of just removed, would it still be okay for an organization to step in and revert it over the author's wishes? At what point do we stop this from becoming a Wikipedia edit war?

@joshmanders

@lukebrooker

@vladikoff

⚠️ Just a warning, a bunch of other @azer packages just got name squatted on npm by who knows who so watch out when updating your package.json files.

@Daniel15

Just a warning, a bunch of other @azer packages just got name squatted on npm by who knows who so watch out when updating your package.json files.

This is why we can't have nice things.

@dolkensp

@Daniel15 actually, the ability to unpublish is why we can't have nice things. Plenty of FOSS package systems out there that would handle this just fine.

@drewhamlett

More tools for Github issues they said. Will cut down on +1's they said.

Also just leaving this here.
http://ruby-doc.org/core-2.3.0/String.html#method-i-rjust
https://docs.python.org/2/library/string.html#string.zfill

@Daniel15

@dolkensp Yeah, to be clear I was referring to other people namesquatting, as the new packages will be pulled in for any package.json whose version range matches. An ideal package management system would be able to tell that the new (namesquatted) package is not signed with the same key as the older package, and at least warn you about it. npm packages aren't verifiable due to the lack of a signature on the packages.

@jamietre

@nijikokun sure, but I was responding to the notion of writing everything trivial yourself to avoid this, not that nothing will ever go wrong.

I doubt any car manufacturers are going to make their own airbags even though Takata screwed the pooch for millions of drivers. You accomplish much more by leveraging the work of others. Yes it comes with risks. They are minute compared to the risk of having to reinvent & test every 3rd party library I use.

@jacksonrayhamilton

Just a warning, a bunch of other @azer packages just got name squatted on npm by who knows who so watch out when updating your package.json files.

Just going to re-post the list of packages (from @azer's blog post) to help us validate our builds: https://gist.githubusercontent.com/azer/db27417ee84b5f34a6ea/raw/50ab7ef26dbde2d4ea52318a3590af78b2a21162/gistfile1.txt

Is there a possibility that these packages could turn malicious, and everyone who relied on them is in big trouble after their next npm install? 😨

@SomeoneWeird

@jacksonrayhamilton Yes, it's absolutely possible. NPM modules can run arbitrary commands on installation.

@drewhamlett

Can npm run rm -rf / ?

@SomeoneWeird

Depending on what user you run npm as, yes.

@tlrobinson tlrobinson referenced this issue in npm/npm Mar 23, 2016
Closed

Remove unpublish #12017

@drewhamlett

@SomeoneWeird @zerkms Ok cool. Thanks. I guess you would need to run it as sudo for it to work though.

@callmevlad

Is there a possibility that these packages could turn malicious, and everyone who relied on them is in big trouble after their next npm install? 😨

Yes: https://news.ycombinator.com/item?id=11341006

@KoryNunn

@drewhamlett so any module installed in the normal sudo'd global way would be able to do anything. Another good reason to use nvm.

@zerkms
zerkms commented Mar 23, 2016

@tlrobinson 2 links to the PR were more than enough, really.

@SomeoneWeird

@drewhamlett doesn't stop it wiping out your home directory, including all your ssh keys etc (you have backups, right?)

@Lana-chan

No, let's post it again! Maybe it'll fix itself!

@azu azu referenced this issue in textlint/textlint Mar 23, 2016
Closed

textlint is broken #175

@jacksonrayhamilton

Here's a quick script to check if you depended on any of @azer's packages (tested with npm@2.14.7 and npm@3.7.3). If you find any, you should confirm they are still safe.

#!/usr/bin/env bash
curl https://gist.githubusercontent.com/azer/db27417ee84b5f34a6ea/raw/50ab7ef26dbde2d4ea52318a3590af78b2a21162/gistfile1.txt \
    | sed 's/^\(.*\)$/ \1@/' \
    > ~/suspicious-packages.txt \
    && npm ls \
    | grep -f ~/suspicious-packages.txt
@dolkensp

@tlrobinson The PR doesn't matter - npm is going to address this issue the same way they addressed long-file-paths in windows - "Not our problem, go away"

@orf
orf commented Mar 23, 2016

Didn't they address long file paths in Windows by releasing a flat node_modules structure? That's the exact pain-staking opposite of "Not our problem, go away".

@tlrobinson

List of number of packages depending on those unpublished by @azer: https://gist.github.com/tlrobinson/05d2354a71f5491d2f5a

@davidmason

Didn't really expect to spend the last hours of my day cleaning up after another's tantrum.

@aduth so you're happy to use someone's code that they shared with the world for free, and you feel that your investment of $0 entitles you to some standard of service?

@drewhamlett

@davidmason Oh here we go again. Thanks a bunch.

@deoxxa
deoxxa commented Mar 23, 2016

If anyone is confused about @davidmason's comment, it was in reference to a now-deleted reply. Anyone who has email notifications turned on in this thread probably has a copy in their inbox.

@plondon plondon referenced this issue in blockchain/My-Wallet-V3-Frontend Mar 23, 2016
Merged

Low med priority bugs #352

@zombieJ
zombieJ commented Mar 23, 2016

Open source should not be oppressed. Though it cost others time, you have the reason to do that.

@joeandaverde

@davidmason the suck it up, you didn't earn it, move on mentality contributes negatively to the validity and trustworthiness of the OSS community.

@deoxxa
deoxxa commented Mar 23, 2016

@joeandaverde the "you made it, you have to support the way I use it" mentality contributes negatively to the experience of being a part of the OSS community.

@matthew-dean

Safe harbor just means that NPM is safe (somewhat) from prosecution even if someone hosts copyrighted works on NPM. It doesn't mean they don't have to act on behalf of trademark / copyright owners.

@jackwanders

@jacksonrayhamilton thanks for the script; I made a tweak to output the full install path for any of @azer's packages found in a project:

#!/usr/bin/env bash
curl https://gist.githubusercontent.com/azer/db27417ee84b5f34a6ea/raw/50ab7ef26dbde2d4ea52318a3590af78b2a21162/gistfile1.txt \
    | sed 's/^\(.*\)$/\/\1$/' \
    > ~/suspicious-packages.txt \
    && npm ls --parseable \
    | grep -f ~/suspicious-packages.txt

This gave me the output:

/Users/jackwanders/some-project/node_modules/babel/node_modules/babel-core/node_modules/line-numbers/node_modules/left-pad

Hopefully this might help others determine how to proceed if they are relying on any of these packages.

@sphvn
sphvn commented Mar 23, 2016

Surely Kik could have just spent 5 seconds to realise that the NPM package had nothing to do with anything related to them. Solid effort on notifying a bunch of people as to what happened though.

Like others have said, his code can do what he wants with it, it's open source if you wish to republish then do so, rather than complain.

@iroy2000

Our build job caught that left-pad issues fortunately and we ended up upgrading one of our npm modules to its latest version which solve the problem, and my co-worker just swear in the team chatroom :)

@thesoftwarejedi

This is a great example of why decentralizing the package hosting can solve the problem. If package hosting were done via a technology such as zeronet and torrents, this could be entirely avoided.

I'll be looking into this in the coming months.

@stevemao
Owner

@azer transfer the module to me please πŸ˜„ since I'm the only other author of the module πŸ˜€

@azer
Collaborator
azer commented Mar 23, 2016

@stevemao is the new owner of the module, not sure how he can take the npm ownership.

@widnyana widnyana referenced this issue in nikolas/github-drama Mar 23, 2016
Closed

npm leftpad #13

@stevemao
Owner

Thanks @azer πŸ‘

@parro-it parro-it referenced this issue in parro-it/awesome-micro-npm-packages Mar 23, 2016
Merged

adds pad-left #9

@xzer
xzer commented Mar 23, 2016

Thanks @azer, you did right thing which makes us understand how the npm is dangerous to us, open source developers. You did perfect warning to all the world to tell us do not trust the bullshit npm any more.

To be honest, great work!

@isaacs
isaacs commented Mar 23, 2016

@KoryNunn @SomeoneWeird @zerkms @drewhamlett If you run npm as root, it'll process.setuid() to a nobody user. https://docs.npmjs.com/misc/scripts#user

@KoryNunn

@isaacs that is really good. There are however many other malicious things that can be done without sudo, like grabbing private keys.

@winterbe

I don't wanna imagine what happens when tomorrow someone trademarks Lodash and wreaks havoc. πŸ’₯

Maybe it's time to add an exclusion clause to Open Source licenses for companies like Kik?

BTW: Ask one of 80 million germans about Kik and they'll recognize a completely different company.

@azer
Collaborator
azer commented Mar 23, 2016

@f teşekkür ederim anlayışın ve desteğin için Fatih :)

@tjacobs
tjacobs commented Mar 23, 2016

This is why Docker exists. Because dependency management is trouble. Pack it all into one package. Do we need a Docker for JS?

@Thatkookooguy Thatkookooguy referenced this issue in Kibibit/kibibit-code-editor Mar 23, 2016
Merged

add material icons #86

@azer azer closed this Mar 23, 2016
@azer azer locked and limited conversation to collaborators Mar 23, 2016
@stevemao
Owner
stevemao commented May 1, 2016

1.1.0 is released :)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.