Pinkie republished to NPM by user that isn't floatdrop

[paulwib]

Pinkie disappeared briefly from npm, see #16, then reappeared again published by another user. Was originally published by floatdrop now published by puradox. pinkie-promise has also been republished by mbensch.

Bit worrying if not published by the original author. Could be an attempt to hijack the packages? Or just someone trying to help out? Would be good to get clarification from @floatdrop.

Original NPM page:

Current NPM page:

[Jokero]

@floatdrop what's happened?

[paulwib]

Oh wow, all his packages have gone 💥

Hope it's not another leftpad scenario.

[coffe4u]

Now the package isn't up at all. Failed deploys all over.

[Jokero]

https://github.com/npm/registry/issues/255

[coffe4u]

https://status.npmjs.org/incidents/41zfb8qpvrdj

[stephnr]

It's getting worse. Looks like yarn is broken now. And yarn is used heavily by Heroku node projects!

[danielweck]

pinkie 2.0.5 has just been published by some other dev! (not original https://www.npmjs.com/~floatdrop )
https://www.npmjs.com/package/pinkie
https://www.npmjs.com/~puradox
@floatdrop this should be 2.0.4 right?

[danielweck]

package-lock.json:

     "pinkie": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/pinkie/-/pinkie-2.0.4.tgz",
-      "integrity": "sha1-clVrgM+g1IqXToDnckjoDtT3+HA=",
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/pinkie/-/pinkie-2.0.5.tgz",
+      "integrity": "sha512-9fAxS/+I3fBLBLJpZkuUTa1nY78BDWiP4Z8NFebaBCt3NuInv31J4YrljAaktsJ5QodyQ1qyr5EdBzTITF1cxw==",
       "dev": true
     }

[danielweck]

Looks identical:
2.0.4:
https://unpkg.com/[email protected]/index.js

2.0.5:
https://unpkg.com/[email protected]/index.js

That's a massive potential security hole though! How can we trust / rely on the other dev ( @puradox ) to maintain future pinkie updates?

[danielweck]

I posted at NPM's "registry" project too: https://github.com/npm/registry/issues/256

[danielweck]

@ceejbot statement from https://github.com/npm/registry/issues/255 :

Beginning at 18:36 GMT today, 106 packages were made unavailable from the registry. 97 of them were restored immediately. Unfortunately, people published over 9 of them, causing delays in the restoration of those 9. We are continuing to clean up the overpublications. All installations that depend on the 106 packages should now be working.

I wonder if pinkie is one of the 9 identified packages?

[danielweck]

Follow-up:
https://github.com/npm/registry/issues/256#issuecomment-355785321
(probably a good idea to clear npm/yarn lockfiles, caches and node_modules)

[danielweck]

PS: this issue can now be closed.

[fischman]

NPM n00b here: is it not worrying that the "maintainers" field of several entries in https://registry.npmjs.org/pinkie/ still point to puradox?

[danielweck]

Very good point. NPM's internal "metadata" seems to have retained information about the unwanted package's publisher (as a "maintainer"), even though pinkie's public project metadata doesn't include "puradox" as a contributor.
https://unpkg.com/[email protected]/package.json

Perhaps ask here: https://github.com/npm/registry/issues
...and please cross-reference the original issue:
https://github.com/npm/registry/issues/256

[danielweck]

Interestingly, the package duplexer3 which was actually hijacked during the downtime (completely wiped and changed for a stupid console message) does not seem to have incorrect registry metadata (maintainers):
https://registry.npmjs.org/duplexer3

[danielweck]

Perhaps @puradox is a developer who worked with @floatdrop in the past? Can you please confirm?

[puradox]

Hey guys! Sorry for not posting sooner, I've been traveling quite a bit. Let me explained what happened:

I was in the middle of development when I noticed that the installation of one of my tools failed. I was receiving an error stating that pinkie was not to be found. So I visited https://www.npmjs.com/ to see for myself, and indeed, they were being reported as missing or non-existent. Thinking this was a possible left-pad incident, I sent a tweet over to @floatdrop, quickly forked floatdrop/pinkie, bumped the patch, and published it under my account. After that, it was working immediately and I was able to get back to work.

I had absolutely no intention of "hijacking" this package and apologize for any inconvenience this may have caused the maintainers of pinkie or the staff at npm.

Referencing the latest npm blog post, it seems npm had an outage during the time I was attempting to install my tools. Knowing that this wasn't another left-pad incident is relieving, but other concerns come to mind regarding the security of npm.

[fischman]

@puradox thanks for chiming in!
I hope npm/registry#258 can get the registry metadata restored to how it was before this excitement happened (plz follow up there if you know how to make it happen; I suspect the answer is it must be done by registry admins).

[danielweck]

Good to hear from you puradox :)
I responded at npm/registry, let's hope NPM comes up with further platform robustness / security improvements!
https://github.com/npm/registry/issues/256#issuecomment-356190370

[webmobiles]

just deleting yarn.lock and executing yarn install, solved. I m using yarn 1.9