The “everything” NPM Package
Feross Aboukhadijeh (Hacker News):
Just when we thought we’d seen it all, an npm user named PatrickJS, aka gdi2290, threw us a curveball. He (along with a group of contributors) kicked off the year with a bang, launching a troll campaign that uploaded an npm package aptly named
everything. This package, true to its name, depends on every other public npm package, creating millions of transitive dependencies.[…]
The “everything” package, with its 5 sub-packages and thousands of dependencies, has essentially locked down the ability for authors to unpublish their packages. This situation is due to npm’s policy shift following the infamous “left-pad” incident in 2016, where a popular package
left-padwas removed, grinding development to a halt across much of the developer world. In response, npm tightened its rules around unpublishing, specifically preventing the unpublishing of any package that is used by another package.Ironically, this policy trapped PatrickJS in his own web. Upon realizing the impact of his prank, he attempted to remove the
everythingpackage but was unable to do so. He reached out to the npm support team for help, but the damage was done.
Previously:
- NPM Packages Sabotaged
- Popular NPM Package Compromised
- How One Developer Broke Node, Babel, and Thousands of Projects
5 Comments RSS · Twitter · Mastodon
I'm unclear why he was blocked from unpublishing this package. Was it because of the 5 sub-packages?
Mark, I'm also confused. Did his own package have some sort of circular dependency? Additionally, why did this cause so much trouble anyway? Are there institutions that just download every package on npm for some archival purpose that were being overwhelmed?
Also for those that are curious, I stayed on the website https://everything.npm.lol/ for a while and it eventually goes into some fun vaporwave glitch effect, and after a few minutes of that it fades into the Skyrim meme.
@Mark No, it says NPM has a rule that you can’t unpublished a package that someone else is depending on. This also meant that no one else could remove their packages because everything depended on them.
@Also It’s not clear to me who was installing everything (and thus exhausting their storage).
I'm guessing that the reason Everything can't be unpublished is that some other project added it as a dependency?
A modern day Aesop’s Fable if ever I read one.