NPM controversy


#1

There is quite a controversy going on concerning NPM.

This guy removed his NPM libraries because of some legal issues. In the void left behind, not only were many projects broken, but the package appeared to be hijacked. Eventually it was confirmed that the new package is without harm, but this is a serious security issue. If one is to remove a package from NPM and someone with bad intensions takes over, it will automatially be installed in any project.

I’m just wondering, how does this affect Ember and are the Ember core developers aware of this issue?


#2

There’s a ton of conversations happening about this. For example, Yehuda’s take on twitter. npm is also taking this very seriously. From their blog post regarding this issue…these seem like fairly definitive steps that address the concerns you rightly have:

  1. We will make it harder to un-publish a version of a package if doing so would break other packages.
  • We are still fleshing out the technical details of how this will work. Like any registry change, we will of course take our time to consider and implement it with care.
  1. We will make it harder to maliciously adopt an abandoned package name.
  • If a package with known dependents is completely unpublished, we’ll replace that package with a placeholder package that prevents immediate adoption of that name. It will still be possible to get the name of an abandoned package by contacting npm support.
  1. We are updating our internal policies to help our team stay in sync and address community conflict more effectively.

#3

Thanks for the heads up.

Meanwhile, there’s a new NPM blogpost about changes to the unpublish policy.