-
Notifications
You must be signed in to change notification settings - Fork 47
Not fixed: 'pinkie' package deleted then re-published by other dev! #256
Comments
@ceejbot , posting here as new issue, as https://github.com/npm/registry/issues/255 is now closed.
Is |
2.0.5 no longer seems to exist. |
Great, the original v2.0.4 version seems restored. However, projects that pulled bogus 2.0.5 version (most likely, indirectly / unbeknownst to them) will probably have to delete their package-lock.json and yarn.lock, clear their node_modules directories and the yarn / npm cache, just to be sure. What a mess. |
That is indeed the hazard of having a lockfile without a registry of your own, since the same thing could happen with a bug or a rapidly unpublished version. |
Yep, 24h window to npm-unpublish. |
It wasn't just that package. mohsen1/json-formatter-js@9ca1bf1...559ac99 All those packages existed a few hours ago. I regret updating my packages without first inspecting those mysterious patched versions. Not sure if they were malicious |
@mohsen1 They weren't. https://twitter.com/npmjs/status/950105013237485571 |
Luckily I could retrieve those packages from yarn cache on my machine. They look identical to existing versions. I have cache of those versions if anyone is interested |
Ah, someone reported that the NPM registry metadata includes maintainers who published the hijacked packages ... can someone look into this please? |
@danielweck I had no intention of "hijacking" pinkie. See my comment on floatdrop/pinkie#18. |
paradox I have no doubt that your intentions were good :) That being said, the "first-come first-served" model of NPM (with respect to package names) can too easily be misused / abused, as demonstrated by this latest incident. As for mitigating the actual crisis situation that took place this week end: I am not sure what the most appropriate response should have been on the part of developers who do not directly include the missing packages (e.g. pinkie), but only reference other dependencies that do. Rather than publish a package clone to temporarily "fill the gap", I wonder if some kind of peerDependency hack could have been used (probably not, as the entire history of package versions had suddenly vanished). In the interim, I personally used my local package cache, froze versions, and suspended CI builds to prevent them from attempting to fetch the bogus hierarchy of dependencies. |
pinkie
( https://www.npmjs.com/package/pinkie ) was version2.0.4
by official developer @floatdrop ( https://www.npmjs.com/~floatdrop ), but now version2.0.5
by other developer @puradox ( https://www.npmjs.com/~puradox ).See issue: floatdrop/pinkie#18 (comment)
The text was updated successfully, but these errors were encountered: