Empty NPM package '-' has over 700k downloads

Y	Hacker News new \| ask \| show \| jobs

	Empty NPM package '-' has over 700k downloads (bleepingcomputer.com)
	61 points by clubdorothe 1789 days ago

12 comments

t0mek 1789 days ago

> Developers should exercise caution when typing npm commands in the terminal when especially when using flags.

The double ”when” is quite funny here, given the nature of npm problem described in the article.

link

marechalbernard 1789 days ago

The "-" package: https://www.npmjs.com/package/-

link

tus89 1789 days ago

And removing it will probably break half the internet. NPM is a nutshell.

link

brundolf 1789 days ago

It's impossible to unpublish packages now.

link

behindsight 1789 days ago

I agree with the general sentiment, but if you do want to unpublish there is a policy available [0]

Key points being either:

- published within 72 hours and without any dependents

- no dependents, < 300/week downloads, single owner

Of course even with all that said there was also precedent for having it removed if you emailed them directly and it was up to their discretion (I believe this was prior to their acquisition so not sure if that still applies).

0: https://docs.npmjs.com/policies/unpublish

link

brundolf 1789 days ago

Technically. But the above is specifically designed to prevent someone from unpublishing a package that could "break half the internet", which is what the original poster was waxing on about.

link

galoisgirl 1788 days ago

Well, - has 56 dependents, so that ship has sailed.

link

baxuz 1788 days ago

Hopefully an npm alternative will come out, because npm and the entire node_modules & package.json resolution strategy is a joke.

link

marto1 1789 days ago

Where there's user input there's cybersquatting.

link

captn3m0 1788 days ago

Having a global namespace for packages was a bad idea. (same with ruby and python).

PHP gets it right: https://packagist.org/explore/

link

egberts 1788 days ago

A simple logic of NOT “-“ would have blocked any reintroduction/upgrade of unintended “-“ package, coupled with a inertiazed package replacing the accidentally-introduced “-“ package.

Yeah, those who depend on the original but accidental “-“ package for its functionally should suffer any consequential breakage that may have resulted from it.

*insert*fake*tear*here*

link

throwaway4good 1789 days ago

So why would anyone make a package like that?

link

jeffalyanak 1788 days ago

In the article they hypothesize that the creation of the package may have been a typo or another form of accident.

Since the content suggests it was generated by a script, there may have been an error in the input to the script or in the script itself.

link

tored 1788 days ago

Maybe, but the project does have an open issue created and edited multiple times by the developer

https://github.com/parzhitsky/-/issues/1

link

brettermeier 1789 days ago

This is normal troll stuff, I would guess. It's like claiming website URLs from known mistypers or something. Someone thinks it's funny.

link

throwaway4good 1789 days ago

And it is version 0.0.1 - how will it look when it reaches version 1.0.0?

link

hidden-spyder 1789 days ago

What even does this package do? I can't understand how to get to the source and the readme is vague.

link

imustbeevil 1789 days ago

Usually I just check the github since most NPM modules link directly to it but the only thing I find find linked is this: https://npm.runkit.com/-/dist/index.js?t=1627966991920

The index file is:

    "use strict";
    Object.defineProperty(exports, "__esModule", { value: true });
    exports.default = null;

The readme mentions that it's a test of this: https://github.com/parzh/create-package-typescript

> Recklessly create TypeScript npm packages left and right with this single command

link

tored 1788 days ago

I think this is the project.

https://github.com/parzhitsky/-

link

hidden-spyder 1788 days ago

Oh my god. Why does this exist?

link

James-Livesey 1788 days ago

> A mysterious, one-letter npm package named "-" sitting on the registry since 2020 has received over 700,000 downloads.

...then a few lines further down the article:

> An npm package called "-" has scored almost 720,000 downloads since its publication on the npm registry, since early 2020.

Kinda frustrating that the same information is being written twice imo... And then two ads in a row follow that

link

pajko 1788 days ago

What would happen if a newer version gets released sometime with some added malware functionality?

link

undebuggable 1788 days ago

Mistyped, incorrect, and copypasted shell commands which are incorrectly using the minus character.

link

brundolf 1789 days ago

Also 56 dependents

link

tapout1960 1787 days ago

can a newer version be used to introduce malicious code for those downloading or the dependents?

link