-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pinkie republished to NPM by user that isn't floatdrop #18
Comments
@floatdrop what's happened? |
Oh wow, all his packages have gone 💥 Hope it's not another leftpad scenario. |
Now the package isn't up at all. Failed deploys all over. |
It's getting worse. Looks like yarn is broken now. And yarn is used heavily by Heroku node projects! |
|
|
Looks identical:
That's a massive potential security hole though! How can we trust / rely on the other dev ( @puradox ) to maintain future |
I posted at NPM's "registry" project too: https://github.com/npm/registry/issues/256 |
@ceejbot statement from https://github.com/npm/registry/issues/255 :
I wonder if |
Follow-up: |
PS: this issue can now be closed. |
NPM n00b here: is it not worrying that the "maintainers" field of several entries in https://registry.npmjs.org/pinkie/ still point to puradox? |
Very good point. NPM's internal "metadata" seems to have retained information about the unwanted package's publisher (as a "maintainer"), even though pinkie's public project metadata doesn't include "puradox" as a contributor. Perhaps ask here: https://github.com/npm/registry/issues |
Interestingly, the package duplexer3 which was actually hijacked during the downtime (completely wiped and changed for a stupid console message) does not seem to have incorrect registry metadata (maintainers): |
Perhaps @puradox is a developer who worked with @floatdrop in the past? Can you please confirm? |
Hey guys! Sorry for not posting sooner, I've been traveling quite a bit. Let me explained what happened: I was in the middle of development when I noticed that the installation of one of my tools failed. I was receiving an error stating that I had absolutely no intention of "hijacking" this package and apologize for any inconvenience this may have caused the maintainers of Referencing the latest npm blog post, it seems npm had an outage during the time I was attempting to install my tools. Knowing that this wasn't another |
@puradox thanks for chiming in! |
Good to hear from you puradox :) |
just deleting yarn.lock and executing yarn install, solved. I m using yarn 1.9 |
Pinkie disappeared briefly from npm, see #16, then reappeared again published by another user. Was originally published by floatdrop now published by puradox. pinkie-promise has also been republished by mbensch.
Bit worrying if not published by the original author. Could be an attempt to hijack the packages? Or just someone trying to help out? Would be good to get clarification from @floatdrop.
Original NPM page:
Current NPM page:
The text was updated successfully, but these errors were encountered: