Many packages suddenly disappeared
antoniobrandao opened this issue · comments
https://www.npmjs.com/package/infinity-agent
https://www.npmjs.com/package/timed-out
https://www.npmjs.com/package/pinkie-promise
All dependencies of webpack-related modules
massive issue for us because of this. Please resolve asap
I've tweeted npm support and also emailed them. Hope someone sees this soon
I believe this issue affects packages with versions before 2018 as well as versions after 2018.
Versions before 2018 cannot be installed, while versions after 2018 can be. For instance,
require-from-string@2.0.0 is unavailable, while require-from-string@2.0.2 is available. The difference between them is their publish year. Note that 2.0.2 was just published, which kicked off this series of problems.
Update: This theory appears to be wrong. See @BlackHole1 's comment below :)
Instead, this appears to be because floatdrop's packages have disappeared.
They come and go.
Just today I've seen the package "infinity-agent" missing, then it came back, disappeared again, and came back again.
Very flimsy behaviour from NPM.
Ah, I see @BlackHole1 . That makes sense.
If that's the case, then this is a big security issue if someone hijacks a critical project and replaces it with some malicious code.
@jmeas And I thought that this was only a "problem" between 1999 and 2000. ;)
@jmeas https://www.npmjs.com/package/require-from-string doesn't exist at the moment is that the page for your module?
I just HOPE during this time it is not possible to actually create a new package with the same name as these missing ones. So many projects would have their dependencies broken.
there should be a mirror for isssues like this
@antoniobrandao It is possible. I have re-published some of the packages that were missing with the code that was available on git-hub. The original author has deleted his NPM account and dropped all his packages. But it seems like NPM keeps dropping packages. No idea why.
@mbensch OMG 😨😨😨😨
This one package https://www.npmjs.com/package/duplexer3 was unavailable for close to 30 mins. Now it back but interesting thing is that it appears its was published 5 mins ago
jekh published 19 minutes ago
So much for NPM reliability.
Looks to me all these packages were originally published by @floatdrop, see google cache. Anyone seen any other users affected?
@mbensch looks like his account still exists just all packages gone.
Same problem for require-from-string package that don't allow me to use create-react-app.
@marco476 same here, can't even install create-react-app
All the packages by this user https://www.npmjs.com/~floatdrop are missing.
Same problem here, cant even upgrade my current project with webpack 👎
What happened to floatdrop? being hacked?
Same problem here, trying to run npm install. Returns:
npm ERR! code ENOVERSIONS
npm ERR! No valid versions available for timed-out
node 9.3.0
npm 5.6.0
npm ERR! code ENOVERSIONS
npm ERR! No valid versions available for duplexer3
@paulwib I checked earlier and his account was gone. I guess he's actively trying to delete it all because after I re-upped pinkie-promise I added him as contributor and it was unpublished shortly after.
Left pad all over again.
Today is NPM's doomsday?
better than a week day
Yeoman is also affected.
this is an ongoing incident. the team is working on it. sorry to all https://status.npmjs.org/incidents/41zfb8qpvrdj
source: npm/npm#19534 (comment)
why do I feel like the world is ending! It's just a bloody registry
@mbensch one removing their own packages is impossible if they are more than 24 hours old.
https://docs.npmjs.com/cli/unpublish
Quote:
With the default registry (registry.npmjs.org), unpublish is only allowed with versions published in the last 24 hours. If you are trying to unpublish a version published longer ago than that, contact support@npmjs.com.
So these packages we are talking about, would need NPM staff's intervention to be removed.
Update from NPM staff
Well, just before that status page with the advisory about not doing exactly this, I semver-bumped floatdrop's vinyl-git to 1.0.0. This should be treated as a security breach (if I'd only bumped to 0.0.9, any real users running npm install with the default semver range would potentially be caught). I'd prefer if NPM wiped all of them and accepted a bit of downtime on floatdrop's legacy until they can control the influx of hijackings.
Edit: unpublished.
lmao, this is the new generation of programmers, this is our future
this seems to be the root cause of this issue vercel/next.js#3542
Of course this happens right as I try to start a new project
@mapinis at least You hadn't installed fresh version of windows, as I did....
"please do not attempt to republish packages" .... I tried exactly that from my fork ... sorry npm team!
Pray for NPM :c
@piotrSatlawa I guess I'm lucky then
Guys, chill down. The team is obviously working on it now that they've posted on https://status.npmjs.org/.
At least we can left-pad our strings this time 🎉
Keep calm, and have a beer.
npm ERR! code ENOVERSIONS
npm ERR! No valid versions available for timed-out
Just when I was going to start a project ...
It's Saturday. I'm gonna go get a Margarita and wait what happens 🍸
@jbirer true... this is what you get when your team becomes a bunch of hipster SJWs
Please be cautious because duplexer3 was republished by a fresh npm user, not the original maintainer, so it's probably a package takeover.
They published another four versions since then, so it's possible they've initially republished unchanged package, but now are messing with the code.
Previously the package belonged to someone else: https://webcache.googleusercontent.com/search?q=cache:oDbrgPbT5m0J:https://www.npmjs.com/package/duplexer3
I'm not saying it's a malicious attempt, but it might be and it very much looks like. Be cautious as you might don't notice if some packages your code is dependent on were republished with a malicious code. It might take some time for NPM to sort this out and restore original packages.
I do love npm in concept but after reading about left-pad, there are two things that I get worried about:
- people can unpublish their packages whenever they please (and i suppose they have every right to)
- npm sorta has ownership of the packages you publish and if there is legal trouble they take packages away from you
are these just faults of the system, or is there a way to structure a package manager in such a way as to fix these problems?
@Kimeiga - on 1.
https://docs.npmjs.com/cli/unpublish
With the default registry (registry.npmjs.org), unpublish is only allowed with versions published in the last 24 hours. If you are trying to unpublish a version published longer ago than that, contact support@npmjs.com.
Deployment of our projects are blocked. I'm wondering if we should commit node_modules to git. It's a common practice on Go projects and it works really well.
Who's fault? NPM guys or the package maintainer?
@racbart You're not wrong, duplexer3 is hijacked.
@paulbartocillo I don't think we really know yet, but the npm status seems to imply that they didn't predict this would happen
@goenning Use proxy registry. Like jfrog artifactory
FYI, This doesn't affect yarn because it uses it's own registry.
@paulbartocillo NPM staff fault
@0xcaff It does.
@0xcaff yarn install not working
@0xcaff it does affect yarn. If you don't get an error is because is loading packages previously saved for offline loading. (yarn's great feature)
Learning to program instead of borrowing code from real programmers over easy things like array management could help
It affects yarn as well
verbose 10.938 Error: Received malformed response from registry for "timed-out". The registry may be down.
at /usr/local/Cellar/yarn/1.3.2/libexec/lib/cli.js:48907:15
at Generator.next (<anonymous>)
at step (/usr/local/Cellar/yarn/1.3.2/libexec/lib/cli.js:92:30)
at /usr/local/Cellar/yarn/1.3.2/libexec/lib/cli.js:110:14
at new Promise (<anonymous>)
at new F (/usr/local/Cellar/yarn/1.3.2/libexec/lib/cli.js:29389:28)
at /usr/local/Cellar/yarn/1.3.2/libexec/lib/cli.js:89:12
at Function.findVersionInRegistryResponse (/usr/local/Cellar/yarn/1.3.2/libexec/lib/cli.js:48946:7)
at /usr/local/Cellar/yarn/1.3.2/libexec/lib/cli.js:48963:28
at Generator.next (<anonymous>)
error Received malformed response from registry for "timed-out". The registry may be down.
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
Re-inventing the wheel a thousand times is also a good approach.
Time to try out https://github.com/diasdavid/npm-on-ipfs
Panic thus this is doomsday.
Learning to program instead of borrowing code from real programmers over easy things like array management could help
@jbirer Create a new npm for us please (and teach us to program) <3
NPM registry is a single point of failure and the source of truth, a proxy helps but doesn't solve the problem.
Should we: rm -rf node_modules && npm cache verify ????
@fallion it's smarter than trying to run with deflated tires.
In two hours, ten new Medium articles appear:
THE INTERNET HAS FALLEN APART, 2018 STARTS OF SHAKY
ahaha people are super nervous, they keep reacting with all the emojis 👍 LOL
Now I can see timed-out on npmjs - https://www.npmjs.com/package/timed-out (there was a 404 10 mins ago)
It has moved on to: "pinkie-promise". :D
Jokes aside, it should not be possible for packages to be pulled from the repository this way. When an account is deleted the repositories should stay in place and be protected from interference outside of NPM themselves.
Honestly, I'm amazed that we haven't learned from leftpad. And a little amused.
So, Should I rely on NPM anymore ? Should I carry node_modules with me always! What if this happens again on a project release date :-)
@goenning we have a Nexus Repository Manager that caches any installed packages. That means we'd still be able to restore from our Nexus server in situations like this. Seems like a better idea than commiting node_modules.
I think it's time to change the way NPM was installed.
I don't have this issue on my .NET app.
Update - Most of the deleted packages have been restored and installation of those packages should succeed. Nine packages are still in the process of restoration.
@gino package name. Not user.
The next NPM: Carrier pigeons with USBs
Alright passed through the timed-out now the pinkie-promise.
5 packages are still listed on my account (re-published before NPM got involved) so they're still working on it.
29 lines of code, that shook the world...
'use strict';
var Module = require('module');
var path = require('path');
module.exports = function requireFromString(code, filename, opts) {
if (typeof filename === 'object') {
opts = filename;
filename = undefined;
}
opts = opts || {};
filename = filename || '';
opts.appendPaths = opts.appendPaths || [];
opts.prependPaths = opts.prependPaths || [];
if (typeof code !== 'string') {
throw new Error('code must be a string, not ' + typeof code);
}
var paths = Module._nodeModulePaths(path.dirname(filename));
var m = new Module(filename, module.parent);
m.filename = filename;
m.paths = [].concat(opts.prependPaths).concat(paths).concat(opts.appendPaths);
m._compile(code, filename);
return m.exports;
};
@jbirer Yeah, it's not like we weren't able to build our .NET project because the Entity Framework Extensions package couldn't verify our license. This kinds of problems are absolutely exclusive to node
Be sure to check if the packages that reappear have not been taken over by squatting malicious actors.
Gotta admit it's kinda exciting to watch this unfold live. Along for the ride 🎢
Plot twist: npm is using us to do a dos attack on GitHub issues
@gigobyte now you have to wait for your maintainer to fix his Array to Objects friendly library to use your Node MySQL library to get to work.
'bout time NPM goes blockchain
It's not first and last situation in NPM world. IMHO the NPM registry and packaging should be revised in DNA first
I agree that there should be no way to remove.. only update packages once you publish to NPM.. This will obviously be an issue again. Does anyone have a suggestion on how to find which package is requiring another package? Im having a problem with "pinkie-promise"... im not sure which package im using is requiring it though... since i cant install anything now :)
Just tried npm install on an old project and guess what ! Hell broke looooose 🚨🚨🚨🚨🚨🚨
@pscanlon1 You can try yarn why pinkie-promise. Not sure about npm.
I'm having the same issue with pinkie-promise while trying to create a new CRA project
Impatiently waiting.... :P
@pscanlon1 I'm having that issue too but it looks like the github project for pinkie-promise has also took a vacation.