Supply chain, Third-party code

NPM registry prank leaves developers unable to unpublish packages

Share
Actor Gary Oldman in a scene from the movie "Leon."

Update Jan. 4, 2024:

GitHub told SC Media Wednesday night that disruptions related to the "everything" package, and its registry-wide dependencies, were being resolved.

"We found the project to be in violation of GitHub's Acceptable Use Policies, which prohibit behavior that significantly or continually disrupts the experience of other users. It was also found to violate the npm Code of Conduct," the company stated. "We have resolved the dependency issue, so packages can now be removed if they meet our unpublish criteria, and are working to remove the packages from both the npm registry and GitHub."

As of Thursday morning, the "everything" repository had been removed from GitHub. The "everything" package still appeared to be active on the NPM registry but, now without a source commit, is accompanied by a message reading, "Please verify the source before using this package."

Original report Jan. 3, 2024:

NPM registry users were rendered unable to unpublish any public packages beginning late last week due to an apparent prank gone wrong.

The GitHub-operated open-source JavaScript package repository hosts more than 2 million packages and is used by more than 17 million developers, according to the NPM website.

On Dec. 29, a package titled “everything” was published to the registry, which is designed to install all other public packages in the registry. This created a registry-wide web of dependencies that effectively disabled the ability to unpublish packages on the site, as packages that other packages are dependent on cannot be unpublished.

The incident triggered responses from developers left unable to unpublish their deprecated or experimental packages, as well as criticism from some who viewed the stunt as an abuse of the open-source NPM system.

The developers behind “everything” said they did not anticipate these consequences and reached out to NPM and GitHub to resolve the issue. Ironically, the team was left unable to unpublish “everything” themselves due to a circle of dependencies that essentially made the package dependent on itself.

“We just thought it would be funny,” wrote Evan Boehs, an “everything” contributor, in response to another GitHub user’s question about the project’s purpose. “We did not know all this would happen.”

Disruptive ‘everything’ JavaScript package created ‘for the meme’

The “everything” package was accompanied by a “README” file stating “Please don’t actually install this…” It also included a meme image of Gary Oldman from the film “Léon,” depicting a scene in which Oldman’s character dramatically shouts the word “everyone.”

The “about” section of the “everything” repository also includes a link to the website “everything.npm.lol,” which displays an animation depicting numerous packages being installed followed by a meme from the video game “The Elder Scrolls V: Skyrim.”

Despite the warning to not install the package, the NPM registry site indicates “everything” was downloaded 224 times as of Jan. 3.

Jossef Harush, head of the supply chain security engineering group at Checkmarx, said in a blog post that installing “everything” would likely result in a denial of service (DoS). Harush also refers to the project as a “troll campaign.”

“I want to reiterate that we aren’t trolls, we are at worst QA testers for NPM, and at best comedians and creative coders,” Boehs wrote separately in a comment on GitHub.

More than 2 million NPM packages caught up in ‘dependency hell’

The sweeping effect of “everything” across the entire NPM registry exposes flaws in the NPM open-source system, argues contributor PatrickJS on GitHub, who goes by the username gdi2290 on the NPM site.

“to be clear this is an edge-case in NPM’s unpublish policy which doesn’t account for ‘*,’” PatrickJS wrote on GitHub, referring to the star symbol that indicates a package’s dependency on any and all versions of another package. PatrickJS suggested that GitHub should allow developers to unpublish a package if its dependents rely on “star versions,” or disable this use of “*” altogether.

“One other thing to note while discussing this fiasco, we considered that this could have been exploited for much more malicious reasons,” said fellow contributor Boehs. “Say, if somebody accidentally uploads sensitive information, a bad actor could make packages to keep it up. It’s good this was caught in this way instead of after being exploited in the wild.”

Some other developers were not convinced, expressing frustration and disapproval on the “everything” repository’s issues board.

One user, Matt Lucock, lambasted the group for “reckless negligence” and for blaming NPM for the fallout of their project.

“You have deluded yourselves into believing that the problem isn’t that you abused the registry, but that npm’s unpublish rules don’t hold up to someone abusing the registry in this way,” Lucock wrote, adding that the unpublish rules are necessary “protect the integrity of the registry.”

Nicolas Ventura, a data center engineer at Lawrence Berkeley National Lab, reported that one of his deprecated packages was impacted by the dependency issue, and said that while the project was “interesting and humorous,” it ultimately caused unnecessary problems.

“This project certainly feels like spam and the thousands of sub-packages should not have been published to the official NPM repository and are just causing clutter,” Ventura wrote. “I’m fascinated that NPM didn’t flag or block any packages from being published, since many other websites, like social media has posting limits.”

The “everything” package, which has more than 3,000 sub-packages, remains published on the NPM registry as of this writing, although PatrickJS reported that GitHub was actively working to fix the issue since Tuesday night.

‘Everything’ not the first to break NPM’s dependency system

Lucock and Harush note previous instances of developers publishing NPM packages that created a stir due to the creation of registry-wide dependencies.  

In 2012, the “hoarders” package, described by its creators as “node.js’s most complete ‘utility grab-bag,’” created dependencies for all 20,000 modules published in the NPM registry at the time. The project received backlash and was later revised to work without creating direct dependencies to the utilities it installs.

More recently, in January 2023, a package called “no-one-left-behind” was made dependent on all other packages in the NPM registry. The package was removed by NPM, which labeled it as containing “malicious code,” although more than 33,000 subpackages of “no-one-left-behind” continued to exist, causing some difficulty.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds