Post-mortem of this weekend's NPM incident (opens in new tab)

When your code deployment model is effectively "download stuff from random websites", I feel like namespace recycling is the least of your worries.

(That is to say, trusting that any given named package that `npm install` downloads is what you think it is is really no different that trusting `wget https://example.com/thecode.tgz`. Even if you verify that the domain hasn't switched hands, you have no guarantee that the author's pipeline wasn't compromised, or that the author didn't add malware themselves. There's a reason Debian, Red Hat et. al. put a lot of effort into ensuring integrity of their repositories.)

>If npm packages used a Github-style "author/package" format, name collision would never be an issue again.

They have that, and many are finally starting to take advantage of it (with babel being the most prominent with their latest version)

But this doesn't completely "fix" the problem, since the exact same conflicts can still happen with the "author" name (if someone takes "google\" there are going to be some very upset californians)

Seems like they're only allowing name reuse in the case of spam packages. Not allowing name reuse in that case might result in lots of names being rendered permanently unusable by automated spambots.

Assuming no actual users are depending on packages which are literally just spam, I don't really see an issue with reusing the names of those packages.

You already sound smarter than whoever leads the Node Package Mess.

I'd like to see a package registry with (1) Github-style author-namespaced packages, and (2) package signing (i.e. if an author starts signing packages with a different key, I'd like to know about it). Maybe integrate the latter with Keybase to help users decide if they should trust a key.

I don't know how you gain any kind of critical mass trying to compete against a well-established registry like npmjs, though.

I think package URIs should include a secure hash of their contents.

Although you won't get updates without asking for them - I'm not sure that's a bad thing - you can be assured that you'll either get the package you were expecting or no package at all.

From the response steps:

> Our first action, which began immediately after the incident concluded, was to implement a 24-hour cooldown on republication of any deleted package name.

Yep. I had one against me mid last year.

I meant the policy which allowed this to happen:

`In the course of reviewing and acting on spam reports, an npm staffer acted on this flag without further investigating the user and removed the user and all of their packages from the registry.`

Specifically, a policy that allows removing "all of [a user's] packages" based on something related to the user rather than on the packages themselves.

Feels like there should be a disconnect between decisions made about a 'user' and those made about a 'package'.

Once the package is published, there should be an understanding that the package belongs to npm and npm's users, even if the original publisher retains some authority over it.

And if there is cause to ban a user, it should not automatically mean that packages published by the user are affected (aside from removing whatever authority the user had).

Why can't they just reuse when it is apparent the case is harmful (as in, people complain and check number of downloads and dependent packages) by blocking the name and disallow reuse for any other cases?

This does not alleviate the issue where you can reuse package names. I suppose they believe what they mark as spam packages won't be used enough or is already bad enough that reusing the name is harmless. And they probably also believe that they can catch fuckups in a day. I don't think either are necessarily true and are only true in this case because it hit popular dep trees. But what happens when something is erroneously marked as spam that's not as popular and the downstream dependents don't realize in 24 hours? If the problem is that "placeholders" are too heavy, then they could be made lighter weight or put some rules around when they will add them and when they won't.