Incident report: npm, Inc. operations incident of January 6, 2018

Found on The npm Blog on Saturday, 13 January 2018

On Saturday, January 6, 2018, we incorrectly removed the user floatdrop and blocked the discovery and download of all 102 of their packages on the public npm Registry. Some of those packages were highly depended on, such as require-from-string, and removal disrupted many users’ installations.

However, during the time between discovery and restoration, other npm users published a number of new packages that used the names of deleted packages.

Seriously, relying on nm is the worst you can do. You open your software, and all the system it gets installed on, to extra attack vectors. Developing software does not mean that you copy and paste libraries from others together, along with some lines of glue which you picked up on some random forum; and if you need to include stupid deps like left-pad, you should be fired right on the spot. If you still think the npm idea is not that bad, this guy should help you understand how bad npm is.

Browse all articles« Previous « » Next »