Home > Blockchain >  What measures have been taken to prevent something like the left-pad incident happening again?
What measures have been taken to prevent something like the left-pad incident happening again?

Time:10-04

In 2016, the maintainer of the left-pad package unpublished it from NPM, leaving millions of builds broken before NPM stepped in and un-unpublished the package themselves before too much chaos could arise

https://www.theregister.com/2016/03/23/npm_left_pad_chaos/

What preventative measures have been put in place against such incidents occurring in the future? Has anything changed in how node_modules files are managed locally, bundled, etc? Did NPM change their policy on how open-source works? Is there any expected effort to move away from or modify the way open-source development works to handle issues like these?

Edit: I was looking to generate open-ended discussion but I guess StackOverflow is not the place for that, so modified my question accordingly.

CodePudding user response:

npm made it harder to unpublish packages

The incident occurred because the maintainer of left-pad was able to unpublish the package, despite the community’s dependency on it.

Shortly after the incident (March 23rd 2016), npm published a post-mortem which included their plans for resolution:

We will make it harder to un-publish a version of a package if doing so would break other packages.

npm soon followed up with an update (March 29th 2016):

If the version is older than 24 hours, then the unpublish will fail, with a message to contact [email protected].

npm announced a more significant update recently (January 2020), which is their currently effective unpublish policy:

Packages published less than 72 hours ago

For newly created packages, as long as no other packages in the npm Public Registry depend on your package, you can unpublish anytime within the first 72 hours after publishing.

Packages published more than 72 hours ago

Regardless of how long ago a package was published, you can unpublish a package that:

  • no other packages in the npm Public Registry depend on
  • had less than 300 downloads over the last week
  • has a single owner/maintainer

This means that a package such as left-pad, which many other packages depended on, effectively cannot be unpublished.

npm blocked publishing to an abandoned package name

The other concern was that it was previously possible for someone to publish a malicious package to an abandoned package name (which luckily didn't happen in the case of left-pad). npm rectified this as part of their initial post-mortem:

If a package with known dependents is completely unpublished, we’ll replace that package with a placeholder package that prevents immediate adoption of that name. It will still be possible to get the name of an abandoned package by contacting npm support.

Page link:https//www.codepudding.com/Blockchain/138606.html

Prev:automatic labels to prometheus alertmanager rules
Next:Why did I get the no-unused-expressions error on "npm start" here in my case
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding