Hacker News new | ask | show | jobs
by sophiabits 36 days ago
I do not envy the position the npm team are in. They removed the ability to unpublish packages as a response to the left-pad incident[1] because it wasn't desirable for individual developers to break downstream dependencies by pulling their package maliciously.

Of course the side effect is that now it's much harder to pull packages for legitimate reasons :/

[1] https://en.wikipedia.org/wiki/Npm_left-pad_incident
6 comments
superfrank 36 days ago
Maybe give publishers a way to quarantine versions with a warning that stops the install, but allows users can override if they choose to is the next step?

Give a publisher a way to tag a version as malicious and then in those hours between the exploit being noticed and the package being removed anyone who tries to install gets a message about that version being quarantined and asking whether they want to proceed.

It's not a perfect solution, but I think it's better than just waiting for NPM to take action without opening the door up to another left pad situation.

link
thayne 36 days ago
I think cargo's yank is a good balance. It makes it difficult to pull the yanked version in as a dependency, but doesn't break existing usages, as long as the version is in the lockfile. And I think even then gives you a warning that you are using a yanked package.
link
zarzavat 36 days ago
The obvious solution is that unpublish should be available within a time window after a new version is published and then unavailable after that.
link
beart 36 days ago
There is a time window - https://docs.npmjs.com/policies/unpublish
link
zarzavat 36 days ago
Yes but they didn't do it properly. They only allow unpublishing if there are no dependants, which means it can't be used to pull a package version for security reasons.

It should be that within the first X hours you can pull a version regardless of dependants, after that you should need approval.

link
antihero 36 days ago
I would prefer my builds to break than the ecosystem to be compromised.

That said, once unpublished the version should be permanently unavailable to prevent publishing over known good versions.

link
KajMagnus 35 days ago
If a package developer maliciously breaks everyone's builds,

isn't that pretty great?

Because now you have learnt that you can't trust them

link
ummonk 36 days ago
I mean they brought that incident on themselves...
link
shimman 36 days ago
Yeah, all left pad incident showed was that NPM cares more about their corporate users than open source developers.
link