Guy brings down thousands of npm builds
-
@lucas1 said:
I suspect that the NPM directory will become append only to fix the problem. Or they could have a separate set of packages that is produced by them which are a recommended import.
Or just change the removal of packages to "invisible to search, but existing users can keep using it".
-
@cartman82 To my understanding, the problem isn't that the packages have been removed, as npm doesn't let you do that (deletion from index only, not purging), but rather that almost all dependencies are specified as a range, and if enough versions are removed, these ranges will fail to satisfy.
-
@aliceif said:
@JazzyJosh said:
@ScholRLEA Tell me I'm pretty
Actuall, it made me think of the Banshee in WLBC II, who would say that. I know it's a quote from somewhere else, but I can't recall where.
As for myself... WIP, probably won't succeed but I'm trying.
-
@ScholRLEA said:
WLBC
WLBC-FM is a FM radio station broadcasting on a frequency of 104.1 MHz and located in Muncie, Indiana.
-
@cartman82 said in Guy brings down thousands of npm builds:
Guy gets pissed off at npm and withdraws all his modules.
Not today!
-
@boomzilla Good Lord, leftpad happened eight (...) years ago. How time flies when you're having ... "fun"...
-
@boomzilla I mean this is a fantastic example of not thinking through the consequences of actions.
Not the everything guy, either, but the entire policy about removing packages has always been a bit suspect, precisely because it set up for something like leftpad being a disaster from the start.
-
8 years later
Damn, I feel old.
-
gdi2290 aka PatrickJS who is behind this prank apologized for "any difficulties this package has caused," and contacted npm admins to remedy the issue.
Boo!
-
"Imagine you did an experiment, published a package to NPM and now you want to remove your NPM package. You can't do it if other packages are using it," writes Jossef Harush, Head of Software Supply Chain Security at Checkmarx on the company's blog.
Why are you publishing your experimental stuff to some sort of shared public repo, though?
-
@cvi said in Guy brings down thousands of npm builds:
"Imagine you did an experiment, published a package to NPM and now you want to remove your NPM package. You can't do it if other packages are using it," writes Jossef Harush, Head of Software Supply Chain Security at Checkmarx on the company's blog.
Why are you publishing your experimental stuff to some sort of shared public repo, though?
Because you are a mindless drone. A pretty common affliction.
-
Hey!! All you time travelers ... stop posting from the fucking future!!
-
@cvi said in Guy brings down thousands of npm builds:
"Imagine you did an experiment, published a package to NPM and now you want to remove your NPM package. You can't do it if other packages are using it,"
Why are you publishing your experimental stuff to some sort of shared public repo, though?
Because you are stupid.
Unfortunately, shouting "You're doing it wrong!!" doesn't always get people to stop doing stupid things. Sometimes you need someone who is willing to step up and be an asshole.
-
@Gern_Blaanston said in Guy brings down thousands of npm builds:
someone who is willing to step up and be an asshole.
Well, you're in the right place for that.
-
I'm amazed that there was a systemically enforced policy to disallow deletion of a package if it so happens that some other package happens to reference it.
Let it be fucking deleted, and those that referenced it get a nice beautiful warning message, and if it's cached, an opportunity to convert it into your own local copy to include in your own repo.
DLL Hell here we come again!
-
@Tsaukpaetra said in Guy brings down thousands of npm builds:
I'm amazed that there was a systemically enforced policy to disallow deletion of a package if it so happens that some other package happens to reference it.
There wasn't, and leftpad happened, so now there is.
-
Just wondering how many modules there are now that list "everything" as a dependency.
-
@Watson so far, just one, called “everything-else” which is a v0.0.1 package from 9 years ago.
“everything” as a package has existed for 10 years but it’s only v3 that appears to have done anything “funny”.
-
@Gern_Blaanston said in Guy brings down thousands of npm builds:
Hey!! All you time travelers ... stop posting from the fucking future!!
FFS. Why can't people follow simple rules. We posted an entire FAQ about this in 2027.
-
@Gustav said in Guy brings down thousands of npm builds:
8 years later
Damn, I feel old.
Don't worry. It will only get worse.
-
@cvi said in Guy brings down thousands of npm builds:
Why are you publishing your experimental stuff to some sort of shared public repo, though?
What if you're experimenting publishing to a public repo? :avocado_with_horns:
-
@Tsaukpaetra said in Guy brings down thousands of npm builds:
I'm amazed that there was a systemically enforced policy to disallow deletion of a package if it so happens that some other package happens to reference it.
I'm more surprised that there isn't a check to see whether the dependency graph is a DAG.
-
@dkf said in Guy brings down thousands of npm builds:
@Tsaukpaetra said in Guy brings down thousands of npm builds:
I'm amazed that there was a systemically enforced policy to disallow deletion of a package if it so happens that some other package happens to reference it.
I'm more surprised that there isn't a check to see whether the dependency graph is a DAG.
There probably is at the point of resolution in npm itself.
But note that “everything” is really a meta package that points to half a dozen other packages that just hard-list everything else, built by scraping the npm registry.
Which means it must be doing something DAG like somewhere because everything-registry/everything -> everything-registry/chunk0 -> list of dependencies, such that everything itself only has 5 dependencies (chunk0 through chunk4) and those individually have all the dependencies.