Not fixed: 'pinkie' package deleted then re-published by other dev!

[danielweck]

pinkie ( https://www.npmjs.com/package/pinkie ) was version 2.0.4 by official developer @floatdrop ( https://www.npmjs.com/~floatdrop ), but now version 2.0.5 by other developer @puradox ( https://www.npmjs.com/~puradox ).

See issue: floatdrop/pinkie#18 (comment)

[danielweck]

@ceejbot , posting here as new issue, as https://github.com/npm/registry/issues/255 is now closed.
Quoting you:

Beginning at 18:36 GMT today, 106 packages were made unavailable from the registry. 97 of them were restored immediately. Unfortunately, people published over 9 of them, causing delays in the restoration of those 9. We are continuing to clean up the overpublications. All installations that depend on the 106 packages should now be working.

Is pinkie one of the 9 identified packages?

[ljharb]

2.0.5 no longer seems to exist.

[danielweck]

Great, the original v2.0.4 version seems restored. However, projects that pulled bogus 2.0.5 version (most likely, indirectly / unbeknownst to them) will probably have to delete their package-lock.json and yarn.lock, clear their node_modules directories and the yarn / npm cache, just to be sure. What a mess.

[ljharb]

That is indeed the hazard of having a lockfile without a registry of your own, since the same thing could happen with a bug or a rapidly unpublished version.

[danielweck]

Yep, 24h window to npm-unpublish.

[mohsen1]

It wasn't just that package. A bunch of packages pinkie-promise and pinkie packages were bumped with patch versions but they don't exist in registry anymore. See this diff:

mohsen1/json-formatter-js@9ca1bf1...559ac99

All those packages existed a few hours ago.

I regret updating my packages without first inspecting those mysterious patched versions. Not sure if they were malicious

[ljharb]

@mohsen1 They weren't. https://twitter.com/npmjs/status/950105013237485571

[mohsen1]

Luckily I could retrieve those packages from yarn cache on my machine. They look identical to existing versions. I have cache of those versions if anyone is interested

[danielweck]

Ah, someone reported that the NPM registry metadata includes maintainers who published the hijacked packages ... can someone look into this please?
floatdrop/pinkie#18 (comment)

[puradox]

@danielweck I had no intention of "hijacking" pinkie. See my comment on floatdrop/pinkie#18.

[danielweck]

paradox I have no doubt that your intentions were good :)
(unlike with the person who hacked duplexer3 while the package was down!)

That being said, the "first-come first-served" model of NPM (with respect to package names) can too easily be misused / abused, as demonstrated by this latest incident.
I wonder if NPM could enforce some kind of lightweight "ownership transition" rules for packages that suddenly become orphan (a bit like when NPM introduced the 24h window to unpublish an erroneous package).

As for mitigating the actual crisis situation that took place this week end: I am not sure what the most appropriate response should have been on the part of developers who do not directly include the missing packages (e.g. pinkie), but only reference other dependencies that do. Rather than publish a package clone to temporarily "fill the gap", I wonder if some kind of peerDependency hack could have been used (probably not, as the entire history of package versions had suddenly vanished). In the interim, I personally used my local package cache, froze versions, and suspended CI builds to prevent them from attempting to fetch the bogus hierarchy of dependencies.