Slashdot Mirror

← Back to Stories (view on slashdot.org)

Erroneous 'Spam' Flag Affected 102 npm Packages (npmjs.org)

Posted by EditorDavid on from the false-flags dept.

There was some trouble last weekend at the world's largest package repository. An anonymous reader quotes the official npm blog: On Saturday, January 6, 2018, we incorrectly removed the user floatdrop and blocked the discovery and download of all 102 of their packages on the public npm Registry. Some of those packages were highly depended on, such as require-from-string, and removal disrupted many users' installations... Within 60 seconds, it became clear that floatdrop was not a spammer -- and that their packages were in heavy use in the npm ecosystem. The staffer notified colleagues and we re-activated the user and began restoring the packages to circulation immediately. Most of the packages were restored quickly, because the restoration was a matter of unsetting the deleted tombstones in our database, while also restoring package data tarballs and package metadata documents. However, during the time between discovery and restoration, other npm users published a number of new packages that used the names of deleted packages. We locked this down once we discovered it, but cleaning up the overpublished packages and inspecting their contents took additional time...

In cases where the npm staff accepts a user's request to delete a package, we publish a replacement package by the same name -- a security placeholder. This both alerts those who had depended on it that the original package is no longer available and prevents others from publishing new code using that package name. At the time of Saturday's incident, however, we did not have a policy to publish placeholders for packages that were deleted if they were spam. This made it possible for other users to publish new versions of eleven of the removed packages. After a thorough examination of the replacement packages' contents, we have confirmed that none was malicious or harmful. Ten were exact replacements of the code that had just been removed, while the eleventh contained strings of text from the Bible -- and its publisher immediately contacted npm to advise us of its publication.
They're now implementing a 24-hour cooldown on republication of any deleted package names -- and are also updating their review process. "As a general rule, the npm Registry is and ought to be immutable, just like other package registries such as RubyGems and crates.io... However, there are legitimate cases for removing a package once it has been published. In a typical week, most of the npm support team's work is devoted to handling user requests for package deletion, which is more common than you might expect. Many people publish test packages then ask to have them deprecated or deleted. There also is a steady flow of requests to remove packages that contain contain private code that users have published inadvertently or inappropriately."

4 of 84 comments (clear)

  1. What? by ArchieBunker · · Score: 4, Insightful

    I have no idea what this block of text is telling me. What are npm packages? Who is floatdrop and why is he relevant?

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  2. Maintain your own dependencies! by WoodstockJeff · · Score: 5, Insightful

    If you have an important project and it is dependent upon a remotely-published package, it's not an important enough project to you.

    There is a certain appeal to letting someone else maintain code and do bug fixes for you, but you have to give up that dream when the project becomes more than a casual "thing" you play with for fun.

  3. What a clusterfuck by Just+Some+Guy · · Score: 5, Insightful

    They're now implementing a 24-hour cooldown on republication of any deleted package names

    So make attackers wait a whole day before uploading their compromised replacements for widely-used packages. Got it!

    Seriously, NPM is a shithole. "As a general rule, the npm Registry is and ought to be immutable", you think? It's not a "general rule". It's "all the time, every" you freaking amateurs.

    most of the npm support team's work is devoted to handling user requests for package deletion, which is more common than you might expect. Many people publish test packages then ask to have them deprecated or deleted. There also is a steady flow of requests to remove packages that contain contain private code that users have published inadvertently or inappropriately.

    This right here is how you brought it upon yourself, and why I have zero sympathy for your self-imposed situation. If I contribute a package to Debian, you think they'll spend "most of their week" removing it just because I asked? That's not gonna happen. Here's how you fix this:

    "Effective immediately, we no longer remove packages unless they cause a clear and imminent threat to their users. If you accidentally included your GitHub password, change it. That's your problem, not ours. Next time try not to do that, OK? Also, we no longer reuse package names, ever, for any reason. If you wanted it, you should have registered it. And finally, under no circumstances, period, may you ever reuse a version number. Ten years from now, package foo-1.2.3 will be bytewise identical to the one we issued last week. We guarantee it."

    Anything short of that is a joke to the rest of the industry. I'm not being idealistic or unrealistic, either: these are completely reasonable, common policies that pretty much literally every other package repo implements.

    --
    Dewey, what part of this looks like authorities should be involved?
    1. Re:What a clusterfuck by Just+Some+Guy · · Score: 4, Insightful

      Eh, I don't care about that so much. If it's the idiom in your language to let someone else write every little function like that, and that's just how it is in that ecosystem, then so be it. I wouldn't want to work that way, but everyone has their preferences.

      But if you're going to foster an ecosystem where everyone's going to use the same "leftpad", then you damn well better make sure that:

      • Once I've added "leftpad-4.5.6" to my dependencies, it's not going away unless there's a critical security flaw,
      • That today's "leftpad-4.5.6" is the same one I downloaded yesterday, and
      • That "leftpad-4.5.7" comes from the same author who released 4.5.6 and not Boris in St. Petersburg.

      If you can't guarantee all three of those conditions, I want nothing to do with it. And again, pretty much everyone else offers these guarantees. This isn't just some greybeard rant about an ideal world no one has ever lived in before.

      --
      Dewey, what part of this looks like authorities should be involved?