|
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061 |
- title: When “Everything” Becomes Too Much: The npm Package Chaos of 2024
- url: https://socket.dev/blog/when-everything-becomes-too-much
- hash_url: 4a56aa5497e68df0c5bb1d5331203219
- archive_date: 2024-01-09
- og_image: https://cdn.sanity.io/images/cgdhsj6q/production/558608ba2958fabcc2578bbceb58f5061460fb32-1024x1024.png?w=1000&fit=max&auto=format
- description: An NPM user named PatrickJS launched a troll campaign with a package called "everything," which depends on all public npm packages.
- favicon: https://socket.dev/favicon-32x32.png
- language: en_US
-
- <p>Happy 2024, folks! Just when we thought we'd seen it all, an npm user named PatrickJS, aka <a class="chakra-link css-pmuo56" href="https://socket.dev/npm/user/gdi2290">gdi2290</a>, threw us a curveball. He (<a target="_blank" rel="noopener noreferrer" class="chakra-link css-pmuo56" href="https://uncenter.dev/posts/npm-install-everything/">along with a group of contributors</a>) kicked off the year with a bang, launching a troll campaign that uploaded an npm package aptly named <a class="chakra-link css-pmuo56" href="https://socket.dev/npm/package/everything"><code>everything</code></a>. This package, true to its name, depends on every other public npm package, creating millions of transitive dependencies.</p>
- <h3>The Chaos Unleashed</h3>
- <p>The <code>everything</code> package and its 3,000+ sub-packages have caused a <a class="chakra-link css-pmuo56" href="https://socket.dev/glossary/denial-of-service-dos">Denial of Service (DOS)</a> for anyone who installs it. We're talking about storage space running out and system resource exhaustion.</p>
- <p>But that's not all. The creator took their prank to the next level by setting up http://everything.npm.lol, showcasing the chaos they unleashed. They even included a meme from Skyrim, adding some humor (or mockery, depending on your perspective) to the situation.</p>
- <h4><code>everything</code>'s <code>package.json</code> file</h4>
- <pre class="css-1nw4yob"><code class="chakra-code css-y2ougk" lang="json">{
- "name": "everything",
- "version": "3.0.0",
- "description": "npm install everything",
- "main": "index.js",
- "contributors": [
- "PatrickJS <github@patrickjs.com>",
- "uncenter <hi@uncenter.dev>",
- "ChatGPT <chatgpt@openai.com>",
- "trash <trash@trash.dev>",
- "Hacksore <sean@boult.me>"
- ],
- "scripts": {},
- "keywords": [
- "everything",
- "allthethings",
- "everymodule"
- ],
- "license": "MIT",
- "homepage": "https://github.com/everything-registry/everything",
- "repository": {
- "type": "git",
- "url": "git+https://github.com/everything-registry/everything.git"
- },
- "dependencies": {
- "@everything-registry/chunk-0": "0.1.0",
- "@everything-registry/chunk-1": "0.1.0",
- "@everything-registry/chunk-2": "0.1.0",
- "@everything-registry/chunk-3": "0.1.0",
- "@everything-registry/chunk-4": "0.1.0"
- }
- }</code></pre>
- <h3>Echoes of the Past</h3>
- <p>This isn't the first time we've seen such a stunt. Last year, the <a class="chakra-link css-pmuo56" href="https://socket.dev/npm/package/no-one-left-behind/overview/2018.2.10"><code>no-one-left-behind</code></a> package by <a class="chakra-link css-pmuo56" href="https://socket.dev/npm/user/zalastax">Zalastax</a> attempted something similar. It was removed, but then reemerged under a different scope with over 33,000 sub-packages. It's like playing whack-a-mole with npm packages!</p>
- <p>It’s also reminiscent of a package called “hoarders” that used to directly depend on every module on npm (approximately 20,000 in 2012). It was published by software engineer Josh Holbrook, created to be “node.js's most complete utility grab bag.”</p>
- <p>In an effort to maintain a secure and reliable ecosystem for JavaScript developers, <a target="_blank" rel="noopener noreferrer" class="chakra-link css-pmuo56" href="https://github.com/jfhbrook/hoarders#history">hoarders was effectively “cancelled”</a> by Isaac Schlueter (creator of the npm package manager) after a year, due to the strain it caused on the registry's database.</p>
- <h3>Unintended Consequences</h3>
- <p>The "everything" package, with its 5 sub-packages and thousands of dependencies, has essentially locked down the ability for authors to unpublish their packages. This situation is due to npm's policy shift following the infamous <a target="_blank" rel="noopener noreferrer" class="chakra-link css-pmuo56" href="https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code">"left-pad" incident in 2016</a>, where a popular package <a class="chakra-link css-pmuo56" href="https://socket.dev/npm/package/left-pad"><code>left-pad</code></a> was removed, grinding development to a halt across much of the developer world. In response, npm tightened its <a target="_blank" rel="noopener noreferrer" class="chakra-link css-pmuo56" href="https://docs.npmjs.com/policies/unpublish">rules around unpublishing</a>, specifically preventing the unpublishing of any package that is used by another package.</p>
- <p>Ironically, this policy trapped PatrickJS in his own web. Upon realizing the impact of his prank, he attempted to remove the <code>everything</code> package but was unable to do so. He reached out to the npm support team for help, but the damage was done.</p>
- <p>PatrickJS wrote this apology on GitHub in a <a target="_blank" rel="noopener noreferrer" class="chakra-link css-pmuo56" href="https://github.com/everything-registry/everything/issues/17">since-removed GitHub issue</a>:</p>
- <blockquote>Hi all! First, just want to apologize about any difficulties this package has caused. We are working to resolve the issues and we have contacted NPM regarding support with this matter (see below). We appreciate your patience.<br><br>The major issue here is that when a package depends on another package at a specific version, that version cannot be unpublished. We've since realized there is an issue with "star" versions - a.k.a depending on any/all versions of another package ( "package-xyz": "*" ) - any version of that package is now unable to unpublish. As I previously mentioned, we've reached out to npm and are hoping they can either A) allow folks to unpublish when the packages that depend on them use a "star" version, B) not permit star versions in published packages going forward, or as a last resort, C) remove our npm organization entirely (and remove all of the packages that are blocking unpublishing). As far as we can tell, there is simply nothing we can do on our own - we can't unpublish the packages ourselves (because other packages depend on them) and publishing a new version over them doesn't change anything.</blockquote>
- <p>However, we now see that while <code>everything</code> remains on the registry, the <code>@everything-registry</code> scoped packages have been made private, potentially offering a resolution.</p>
- <h3>The Ripple Effect</h3>
- <p>This whole saga is more than just a digital prank. It highlights the <a class="chakra-link css-pmuo56" href="https://socket.dev/blog/inside-node-modules">ongoing challenges</a> in package management within the npm ecosystem. For developers, it's a reminder of the cascading effects of dependencies and the importance of mindful package creation, maintenance, and consumption.</p>
- <p><img alt=" " loading="lazy" src="https://cdn.sanity.io/images/cgdhsj6q/production/14461d25dd2f7a1cf456a840fe3bc1e98670e3e0-2162x1902.png?w=1600&fit=max&auto=format">
- <p>As we navigate the open source world, incidents like the <code>everything</code> package remind us of the delicate balance between freedom and responsibility in open-source software.</p></p>
- <p>Install <a class="chakra-link css-pmuo56" href="https://socket.dev/github-app">Socket for GitHub</a> to stay secure this year, and let's see what the rest of 2024 has in store for us!</p>
|