[umurkontaci]

> I'm gonna lock this for now, because I'm sure it's gonna get plenty of traffic. You really don't need to respond to repeat what every other poster is saying. The registry team has been informed.

It's alright if they want to lock the thread to prevent a massive +1 spam, but at the very least they should have given a link to track the status of this.

When your production systems are down, "thanks for the report" is not a good enough response.

[actionowl]

His tone is all wrong here:

> You really don't need to respond to repeat what every other poster is saying.

Obviously they did need to because no one from the team had responded yet. Also his response without any link to track the status is rather disappointing but entirely what I'd expect from the NPM team.

[jchw]

>his response without any link to track the status is rather disappointing but entirely what I'd expect from the NPM team.

Unfortunately, agreed. I hate being pessimistic but nothing disappoints me more than the way NPM handles a problem.

It's clearly not just a fluke at this point.

[btown]

Contrast this to Yarn’s response, also this holiday weekend, to an outage incidentally caused by the NPM team. https://github.com/yarnpkg/yarn/issues/5885#issuecomment-392... Professional, responsive, not afraid of blowback from accepting feedback and “+1” posts. Is there any reason to lock the post besides bruised ego and overwhelming phone notifications? Neither of those is justifiable when you’re emitting teapot errors because you implemented a spec wrong. This feels very indicative of a toxic, amateur culture, and perhaps we’ve let it operate our package infrastructure for too long.

[tracker1]

I'm actually blocked by the main person behind NPM because I disagreed with him over a politically motivated tweet he made... so it wouldn't surprise me in the slightest.

[booter12]

I was wondering how far down I would have to scroll to find something like this.

The guy is a total political zealot who hates corporations and hates that npm had to become one. He presented this at the end of NodeConfEU17 and also took the opportunity to lecture us (in Ireland) for being too white and not being as "diverse" as he wanted us to be.

IIRC, more than 50% of the presenters were women which he says is the only reason he attended the last day to speak at us. Great.

Hearing him talk was like someone taking a shit on the floor after an otherwise wonderful conference. It makes me cringe that I have to use npm after hearing that guy talk. I am not even sure I will go to that conference again after that.

[pluma]

Looks like his talk wasn't recorded[0]? He published the slides but they're sadly not very informative[1].

To be honest I can't believe the registry is still using CouchDB under the hood. It's not a good fit for the problem space.

I'm also not surprised he says this in his talk:

> Ultimately, I don’t like anyone else having control. If I’m going to give npm to a company, I want control of the company.

The npm registry and client should be controlled by a foundation for all the same reasons Node is. Yarn was a great step in that direction but it seems npm Inc is doubling down and based on how communication between the yarn maintainers and npm Inc went when they accidentally broke yarn[2][3], it feels like they're trying to fight yarn rather than cooperate.

I've seen npm Inc employees (including "community managers") attack people ("paying customers") on Twitter in response to criticism of how npm Inc runs their open source projects. They also don't seem to make any distinction between personal opinion and representing npm Inc, pretty much dot-com era startup "bro culture" but with different social politics.

[0]: https://www.youtube.com/playlist?list=PL0CdgOSSGlBaxNkrUIHrh...

[1]: https://www.dropbox.com/s/9rx9aalvts60w5y/why-npm-inc.pdf?dl...

[2]: https://twitter.com/jamiebuilds/status/1000198463269699584

[3]: https://twitter.com/mikeal/status/1000164993667555328

[JCSato]

*her/their tone, if you care

As the person mostly on the hook for https://news.ycombinator.com/item?id=16435305 (as I recall), I can imagine she/they would be a little on edge.

Still not a good look. . .

[pluma]

I see no reason why "they've screwed up before so it's okay if they're being dismissive and intransparent" would ever be a valid argument. The point of excusing past mistakes is that they are learning opportunities.

If anything, the filesystem permissions bug only makes this worse because it was a destructive bug in a widely promoted release (even if it was technically not supposed to be stable -- npm employees actively recommended using it on twitter) and npm's reaction was fairly dismissive (because it's not a stable release for production use, dummy).

[JCSato]

Only intended to explain, not excuse. I totally agree.

[ricardobeat]

Has been a pattern for a while. See the other issue 3 days ago (disappearing packages) where no info is given, they remove a ton of comments, close and lock it too: https://github.com/npm/npm/issues/20766

Some time back, when they accidentally installed @latest, which accidentally wiped your hard drive, I narrowly avoided destroying my company laptop. After giving the same treatment on github and blaming their users for being dumb, they finished our twitter exchange calling me “whiny”. Happy yarn user ever since.

[digi_owl]

And here i thought the systemd people were touchy...

[olingern]

Something more along the lines of:

> Thanks so much for the report. Currently, we are doing the best to resolve the issue. Please continue to check back on our status page to see our updates. https://status.npmjs.org/

Sounds more appropriate

[mchahn]

If they had locked it a little earlier wgran wouldn't have had the opportunity to report the cause.

[ludston]

Isn't it? I would rather get an update after the problem has been fixed than to know that development efforts have been slowed down in order to keep me in the loop.

I am not sure if you are putting your money where your mouth is. This product can be used for free, and there is a simple work around. (i.e. Test before you upgrade.)

[yegle]

https://cloudplatform.googleblog.com/2017/02/Incident-manage... is a good article re how Google handles incident.

In an incident, constant and clear communication is a key.

[ludston]

Different scope. This is definitely how to handle incidents like, "our live production service is currently having issues" because there are critical consequences. e.g. When a system that I have worked on goes down, trucks would literally be parked at the border of different states and countries waiting for clearance.

This is a different magnitude to, "I upgraded my free dependency management tool, and now I have to downgrade it. Please tell me when I can upgrade again."

[pluma]

Npm Inc is a company. Their products are npm enterprise and npm orgs. Both of these are only useful in combination with the npm client. Npm enterprise likely wasn't affected by this (although related problems may have affected npm enterprise users in the past for all we know) but npm orgs were as their repositories are on the same registry.

So this is the equivalent of the official docker CLI having a bug that causes it to break after an update to the official docker hub. Sure, it may mostly affect users that aren't paying customers but it affects users indiscriminately and those users who are paying customers can't use npm the way they were sold on (i.e. using the official client with the official registry).

FWIW it also seems that this bug wasn't triggered because users updated their clients. It was a pre-existing bug in the client that was triggered by the registry behavior changing (but I'm not sure on that because the issue doesn't give many details).

[zeth___]

Most people aren't google.

[ibic]

Isn't that +1 "spam" counter an indicator of how severe the issue is and how much impact it's causing? Do I sense some sort of playing down/covering up?

P.S. The issue has been fixed about 16 min ago according to ceejbot's last reply to the github issue.

[Ajedi32]

> a link to track the status of this

The GitHub issue _is_ where you go to track the status of the fix. I'm sure if there are any updates they'll be posted there; and if you're interested you can now subscribe to the issue without getting your inbox spammed by dozens of users spamming "me too" in the thread.

[nodesocket]

Yarn appears to be working, so that's a temporary workaround.