[josephorjoe]

So, a spammer uploaded something containing copied data from a legitimate user and npm deleted everything from that user. Oy.

Seems like npm might want to review the policy that allows stuff like that to happen.

Even if a user violates the spam policy (which, to be clear, it seems the affected user in this case did NOT do), that hardly seems to be appropriate grounds for deleting everything the user has ever published on npm.

That is a policy that is just begging for griefing.

[detaro]

> Seems like npm might want to review the policy that allows stuff like that to happen.

That's one of the things the post mentions as what they are doing.

[DanBC]

Are "joe jobs" still a thing?

https://en.wikipedia.org/wiki/Joe_job

> A joe job is a spamming technique that sends out unsolicited e-mails using spoofed sender data. Early joe jobs aimed at tarnishing the reputation of the apparent sender or inducing the recipients to take action against them [...]

[daurnimator]

Yep. I had one against me mid last year.

[cwmma]

It wasn't a policy it was a spam heuristic

[josephorjoe]

I meant the policy which allowed this to happen:

`In the course of reviewing and acting on spam reports, an npm staffer acted on this flag without further investigating the user and removed the user and all of their packages from the registry.`

Specifically, a policy that allows removing "all of [a user's] packages" based on something related to the user rather than on the packages themselves.

Feels like there should be a disconnect between decisions made about a 'user' and those made about a 'package'.

Once the package is published, there should be an understanding that the package belongs to npm and npm's users, even if the original publisher retains some authority over it.

And if there is cause to ban a user, it should not automatically mean that packages published by the user are affected (aside from removing whatever authority the user had).