{"id":42260,"date":"2024-02-27T14:36:01","date_gmt":"2024-02-27T19:36:01","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=42260"},"modified":"2024-02-28T09:55:42","modified_gmt":"2024-02-28T14:55:42","slug":"the-everything-npm-package","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2024\/02\/27\/the-everything-npm-package\/","title":{"rendered":"The “everything” NPM Package"},"content":{"rendered":"

Feross Aboukhadijeh<\/a> (Hacker News<\/a>):<\/p>\n

Just when we thought we’d seen it all, an npm user named PatrickJS, aka gdi2290<\/a>, threw us a curveball. He (along with a group of contributors<\/a>) kicked off the year with a bang, launching a troll campaign that uploaded an npm package aptly named everything<\/code><\/a>. This package, true to its name, depends on every other public npm package, creating millions of transitive dependencies.<\/p>

[…]<\/p>

The “everything” package, with its 5 sub-packages and thousands of dependencies, has essentially locked down the ability for authors to unpublish their packages. This situation is due to npm’s policy shift following the infamous “left-pad” incident in 2016<\/a>, where a popular package left-pad<\/code><\/a> was removed, grinding development to a halt across much of the developer world. In response, npm tightened its rules around unpublishing<\/a>, specifically preventing the unpublishing of any package that is used by another package.<\/p>

Ironically, this policy trapped PatrickJS in his own web. Upon realizing the impact of his prank, he attempted to remove the everything<\/code> package but was unable to do so. He reached out to the npm support team for help, but the damage was done.<\/p><\/blockquote>\n\n

Previously:<\/p>\n