Erroneous 'Spam' Flag Affected 102 npm Packages (npmjs.org)

← Back to Stories (view on slashdot.org)

Erroneous 'Spam' Flag Affected 102 npm Packages (npmjs.org)

Posted by EditorDavid on Saturday January 13, 2018 @03:34AM from the false-flags dept.

There was some trouble last weekend at the world's largest package repository. An anonymous reader quotes the official npm blog: On Saturday, January 6, 2018, we incorrectly removed the user floatdrop and blocked the discovery and download of all 102 of their packages on the public npm Registry. Some of those packages were highly depended on, such as require-from-string, and removal disrupted many users' installations... Within 60 seconds, it became clear that floatdrop was not a spammer -- and that their packages were in heavy use in the npm ecosystem. The staffer notified colleagues and we re-activated the user and began restoring the packages to circulation immediately. Most of the packages were restored quickly, because the restoration was a matter of unsetting the deleted tombstones in our database, while also restoring package data tarballs and package metadata documents. However, during the time between discovery and restoration, other npm users published a number of new packages that used the names of deleted packages. We locked this down once we discovered it, but cleaning up the overpublished packages and inspecting their contents took additional time...

In cases where the npm staff accepts a user's request to delete a package, we publish a replacement package by the same name -- a security placeholder. This both alerts those who had depended on it that the original package is no longer available and prevents others from publishing new code using that package name. At the time of Saturday's incident, however, we did not have a policy to publish placeholders for packages that were deleted if they were spam. This made it possible for other users to publish new versions of eleven of the removed packages. After a thorough examination of the replacement packages' contents, we have confirmed that none was malicious or harmful. Ten were exact replacements of the code that had just been removed, while the eleventh contained strings of text from the Bible -- and its publisher immediately contacted npm to advise us of its publication.
They're now implementing a 24-hour cooldown on republication of any deleted package names -- and are also updating their review process. "As a general rule, the npm Registry is and ought to be immutable, just like other package registries such as RubyGems and crates.io... However, there are legitimate cases for removing a package once it has been published. In a typical week, most of the npm support team's work is devoted to handling user requests for package deletion, which is more common than you might expect. Many people publish test packages then ask to have them deprecated or deleted. There also is a steady flow of requests to remove packages that contain contain private code that users have published inadvertently or inappropriately."

84 comments

Min score:

Reason:

Sort:

One would think... by Anonymous Coward · 2018-01-13 03:51 · Score: -1

... that a little thinking ahead would have prevented this rather obvious gaffe. But then, if you thought that you'd've presumed that javascript monkeys can think ahead, or at all.
Apparently not.
why does anyone use online javascript libraries? by Anonymous Coward · 2018-01-13 04:02 · Score: 0

They are a risk for both the site (they can just disappear or change without notice) and the user (malware, yet another library to manage in no-script).
Why expose yourself and your users to this? It is willful negligence and unethical if you ask me.
express-cocaine-service by 110010001000 · 2018-01-13 04:03 · Score: 0

I use this guy's express-cocaine-service package a lot. This was terrible for me. I had to find another supplier but who knows what was in the package I received.
What? by ArchieBunker · 2018-01-13 04:06 · Score: 4, Insightful

I have no idea what this block of text is telling me. What are npm packages? Who is floatdrop and why is he relevant?

--
Only the State obtains its revenue by coercion. - Murray Rothbard
1. Re:What? by Hal_Porter · 2018-01-13 04:37 · Score: 5, Informative
  
  npm is "NodeJS package manager". NodeJS is run by sloppy hippies. Being sloppy hippies they deleted a user and that user's packages without checking if other packages used them. Because they're sloppy hippies.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
2. Re:What? by pem · 2018-01-13 06:20 · Score: 1
  
  OK, but what do you think the real problem is?
3. Re:What? by _xeno_ · 2018-01-13 06:43 · Score: 3, Interesting
  
  This seems as good a place to leave my NPM story. Or I could just link to the bug.
  The short version is if you use NPM to install dependencies, it will install your dependencies and whatever they depend on. If you run it again, it will install your dependencies and then DELETE anything they depend on.
  Why would you repeat the install? Well, if your dependencies change (e.g., you update a dependency or add a new one), you would then repeat the install to get the new dependencies. Except you can't do this without blowing away the entire existing install due to this bug.
  It gets somewhat worse - starting in NPM 5, they introduced a lock file. Anyone familiar with other package managers should know what a lock file is and why they're important. If the lock file exists, it will never install indirect dependencies (probably).
  Basically, if anyone doubted that NPM was run by sloppy idiots, note that both bugs are still open and have been for months.
  
  --
  You are in a maze of twisty little relative jumps, all alike.
4. Re:What? by Hognoxious · 2018-01-13 08:56 · Score: 1
  
  what do you think the real problem is?
  
  Maybe they found a gender-specific pronoun in one of the comments.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
5. Re:What? by pem · 2018-01-13 14:24 · Score: 1
  
  That would certainly cause no end of mischief.
Maintain your own dependencies! by WoodstockJeff · 2018-01-13 04:08 · Score: 5, Insightful

If you have an important project and it is dependent upon a remotely-published package, it's not an important enough project to you.
There is a certain appeal to letting someone else maintain code and do bug fixes for you, but you have to give up that dream when the project becomes more than a casual "thing" you play with for fun.
1. Re:Maintain your own dependencies! by Just+Some+Guy · 2018-01-13 04:27 · Score: 1
  
  I agree to a point, but I don't maintain my own Linux distro even though I depend on certain packages for my software to run on it.
  
  --
  Dewey, what part of this looks like authorities should be involved?
2. Re:Maintain your own dependencies! by Anonymous Coward · 2018-01-13 04:39 · Score: 1
  
  The entire concept of making one's build process dependent on some remote site being up at that very moment is so braindamaged that I don't understand how it ever got popular. I guess if a developer was a fetus when GitHub was created, they might not realize that any site can go down, any company can fail. Even GitHub.
3. Re:Maintain your own dependencies! by Anonymous Coward · 2018-01-13 04:41 · Score: 0
  
  You should also fire all the people in your company using NodeJS. Such brain-damaged “developers” do more harm than good.
4. Re:Maintain your own dependencies! by Anonymous Coward · 2018-01-13 05:17 · Score: 0
  
  Define "maintain". You can fairly easily maintain a Debian or Ubuntu mirror, and quite a few companies do so.
  Often that is just to save external bandwidth (so more like a WSUS server for Windows), but it does contain the full package data, and it is something you really ought to do if you critically depend on some distribution.
5. Re:Maintain your own dependencies! by Hal_Porter · 2018-01-13 06:42 · Score: 1
  
  Their inferior minds will cause deadlines to be missed! Contracts to be lost, Fire and brimstone coming down from the skies! Rivers and seas boiling! Forty years of darkness! Earthquakes, volcanoes! The dead rising from the grave! Human sacrifice, dogs and cats living together ... mass hysteria!
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
6. Re:Maintain your own dependencies! by Anonymous Coward · 2018-01-13 08:47 · Score: 0
  
  Completely agree.
  The rise of nuget in the .NET ecosystem enrages me so much.
What a clusterfuck by Just+Some+Guy · 2018-01-13 04:08 · Score: 5, Insightful

They're now implementing a 24-hour cooldown on republication of any deleted package names
So make attackers wait a whole day before uploading their compromised replacements for widely-used packages. Got it!
Seriously, NPM is a shithole. "As a general rule, the npm Registry is and ought to be immutable", you think? It's not a "general rule". It's "all the time, every" you freaking amateurs.

most of the npm support team's work is devoted to handling user requests for package deletion, which is more common than you might expect. Many people publish test packages then ask to have them deprecated or deleted. There also is a steady flow of requests to remove packages that contain contain private code that users have published inadvertently or inappropriately.
This right here is how you brought it upon yourself, and why I have zero sympathy for your self-imposed situation. If I contribute a package to Debian, you think they'll spend "most of their week" removing it just because I asked? That's not gonna happen. Here's how you fix this:
"Effective immediately, we no longer remove packages unless they cause a clear and imminent threat to their users. If you accidentally included your GitHub password, change it. That's your problem, not ours. Next time try not to do that, OK? Also, we no longer reuse package names, ever, for any reason. If you wanted it, you should have registered it. And finally, under no circumstances, period, may you ever reuse a version number. Ten years from now, package foo-1.2.3 will be bytewise identical to the one we issued last week. We guarantee it."
Anything short of that is a joke to the rest of the industry. I'm not being idealistic or unrealistic, either: these are completely reasonable, common policies that pretty much literally every other package repo implements.

--
Dewey, what part of this looks like authorities should be involved?
1. Re:What a clusterfuck by Lunix+Nutcase · 2018-01-13 04:14 · Score: 5, Informative
  
  These are people who need libraries to left pad a string and to check if something is an array. Technical prowess is not their forte.
2. Re:What a clusterfuck by FatdogHaiku · 2018-01-13 04:15 · Score: 1
  
  +1
  
  --
  You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
3. Re:What a clusterfuck by Just+Some+Guy · 2018-01-13 04:25 · Score: 4, Insightful
  Eh, I don't care about that so much. If it's the idiom in your language to let someone else write every little function like that, and that's just how it is in that ecosystem, then so be it. I wouldn't want to work that way, but everyone has their preferences.
  But if you're going to foster an ecosystem where everyone's going to use the same "leftpad", then you damn well better make sure that:
  
  Once I've added "leftpad-4.5.6" to my dependencies, it's not going away unless there's a critical security flaw,
  
  That today's "leftpad-4.5.6" is the same one I downloaded yesterday, and
  
  That "leftpad-4.5.7" comes from the same author who released 4.5.6 and not Boris in St. Petersburg.
  
  If you can't guarantee all three of those conditions, I want nothing to do with it. And again, pretty much everyone else offers these guarantees. This isn't just some greybeard rant about an ideal world no one has ever lived in before.
  --
  Dewey, what part of this looks like authorities should be involved?
4. Re:What a clusterfuck by Hal_Porter · 2018-01-13 04:40 · Score: 1
  
  Yeah, if more people realised why 'published interfaces are immutable' is such an important rule you wouldn't need to spend ages cleaning up when a screwup like this breaks your build environment when you do an update.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
5. Re:What a clusterfuck by Anonymous Coward · 2018-01-13 04:44 · Score: 0
  
  Why would you make your build environment dependent on a remote repository anyway? That seems rather stupid when it could have an outage, be vandalized by malicious admins or you could be subjected to retardery of the sort from this story. If you’re doing anything of worth your build environment should always be based on a local mirror.
6. Re:What a clusterfuck by Just+Some+Guy · 2018-01-13 04:49 · Score: 1
  
  That doesn’t help if you accurately mirror a repo where a package can be replaced with something malicious.
  
  --
  Dewey, what part of this looks like authorities should be involved?
7. Re:What a clusterfuck by Anonymous Coward · 2018-01-13 05:11 · Score: 0
  
  Then don’t put a retard in charge of handling your build environment.
8. Re:What a clusterfuck by Anonymous Coward · 2018-01-13 05:22 · Score: 2
  
  > unless there's a critical security flaw
  I hope you mean unless there is malicious code hidden in it.
  A security flaw no matter how critical is no reason to remove something.
  Sure, a repo should have a way to handle security issues, but removing insecure versions is not a sensible way of doing that.
  > comes from the same author
  That is too strict. You should have a mechanism to hand over maintainership of a project. But yes, it should not be some random person with 0 vetting.
9. Re:What a clusterfuck by Anonymous Coward · 2018-01-13 05:33 · Score: 0
  
  If it's immutable, then packages can't be added.
10. Re:What a clusterfuck by Anonymous Coward · 2018-01-13 05:40 · Score: -1
  
  Seriously, NPM is a shithole
  Go back to Twitter, Trump, where your language is considered acceptable.
11. Re:What a clusterfuck by Hal_Porter · 2018-01-13 06:05 · Score: 1
  
  Even if you have a local version control system you still need to merge changes from upstream if you want to upgrade the environment to the latest version - e.g. to get security patches. And traditionally you need to merge the mainline into your local copy and then lock the mainline and merge back - basically it means that if the mainline has changed in an incompatible way you resolve that in your branch or local copy before merging back. In Clearcase terms you don't merge back to the mainline until the merge is 'trivial' - i.e. only one set of changes.
  At least that's what happens with C/C++ projects with Clearcase/git/svn.
  Then again this is NodeJS. Maybe people don't ever upgrade to the latest version because there aren't any security patches and the latest version is alway so incompatible you're better off starting from scratch. And maybe they don't bother to cache anything either. And nor do they ever merge anything back to the mainline.
  Filthy degenerate hippies.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
12. Re:What a clusterfuck by Just+Some+Guy · 2018-01-13 06:05 · Score: 1
  
  I disagree about security flaws. If it’s not possible to use a package - say, it mistakenly always degrades SSL connections to plaintext - then I think it’s at least arguable that users should be prodded into upgrade to the fixed version.
  I agree about the “same author” bit. I didn’t spell it out, but that to me means “officially designated maintainer”. Maybe that’s always the same individual maintainer, or maybe it’s “Release Manager at Foo Corp”, or perhaps it’s “person who took over package Foo after Randy got a new job”. But in all cases, the uploaded is still the person who’s directly responsible for that specific package in real life.
  
  --
  Dewey, what part of this looks like authorities should be involved?
13. Re:What a clusterfuck by Anonymous Coward · 2018-01-13 06:16 · Score: 0
  
  > comes from the same author
  That is too strict. You should have a mechanism to hand over maintainership of a project. But yes, it should not be some random person with 0 vetting.
  I feel that proposal isn't strong enough... what happens if the original author goes insane and/or proves that they were never trustworthy to begin with?
  IMO every version should be subject to community review prior to publication, and if the community also provides binaries, then the binaries should be built on community server from published source.
  Doing this right would probably need a web-of-trust reputation system that requires upwards of a dozen high-profile reviewers for each patch. Then when a bad patch inevitably makes it through, all the reviewers who approved that patch would get all of their other reviews marked as suspect, and it could cause a cascade of rollbacks to previous "safe" versions.
14. Re:What a clusterfuck by Hal_Porter · 2018-01-13 06:47 · Score: 1
  
  You can add packages, you just can't delete them
  It's like in C++ when you're trying not to break back compatibility - you can add interfaces, and you can add methods to interfaces but you can't delete interfaces or delete methods from interfaces.
  That's how Symbian's binary compatibility worked. Now Symbian had a bunch of other fatal illnesses which eventually killed it, but a lack of interface immutability within a release wasn't one of them.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
15. Re:What a clusterfuck by _xeno_ · 2018-01-13 07:04 · Score: 1
  
  To be fair, the ability to left pad a string was only added to the JavaScript standard last year. Although Array.isArray has existed for quite a while now.
  As for why you need a special function to determine if something is an array, MDN links to this article.
  Note that one context in which you will never need to use Array.isArray over instanceof Array is inside a Node.js program, as it doesn't run in a browser context.
  Although even then, isArray probably doesn't work the way most people would expect: certain "array-like" things aren't arrays, such as arguments. JavaScript is fun.
  
  --
  You are in a maze of twisty little relative jumps, all alike.
16. Re:What a clusterfuck by thegarbz · 2018-01-13 07:26 · Score: 1
  
  There's something even more screwed up about the "leftpad" example: The package that half of the world depended on was leftpad 0.0.3. So someone had the genius to depend on code which based on its version number looked like an early alpha release.
17. Re:What a clusterfuck by serviscope_minor · 2018-01-13 07:54 · Score: 2
  
  There's something even more screwed up about the "leftpad" example: The package that half of the world depended on was leftpad 0.0.3. So someone had the genius to depend on code which based on its version number looked like an early alpha release.
  I think what's worse is it apparently took 3 minor releases to get leftpad right.
  WHAT THE FUCK
  
  --
  SJW n. One who posts facts.
18. Re:What a clusterfuck by Lunix+Nutcase · 2018-01-13 08:07 · Score: 1
  
  Even worse. If you look at the current version, there's something like 14 different releases. And it has 2 outstanding issues. All over something to left pad a string which is a CS101 entry-level coding task.
19. Re:What a clusterfuck by Lunix+Nutcase · 2018-01-13 08:10 · Score: 1
  
  Append-only is probably more accurate, then. You can always add, but not delete.
20. Re:What a clusterfuck by Lunix+Nutcase · 2018-01-13 08:26 · Score: 1
  
  To be fair, the ability to left pad a string [mozilla.org] was only added to the JavaScript standard last year. Although Array.isArray [mozilla.org] has existed for quite a while now.
  To be unfair, the ability to left pad a string is something that anyone should know how to do as an entry-level task to learning how to program.
21. Re:What a clusterfuck by Just+Some+Guy · 2018-01-13 09:05 · Score: 1
  
  It’s the Internet. You can say “fuck” here.
  
  --
  Dewey, what part of this looks like authorities should be involved?
22. Re:What a clusterfuck by Hognoxious · 2018-01-13 09:05 · Score: 1
  
  It doesn't help if you blindly mirror a repo where a package can be replaced with something malicious.
  FTFY.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
23. Re:What a clusterfuck by Anonymous Coward · 2018-01-13 09:13 · Score: 0
  
  To be unfair, the ability to left pad a string is something that anyone should know how to do as an entry-level task to learning how to program.
  Yet another first world problem.
24. Re:What a clusterfuck by quetwo · 2018-01-13 12:26 · Score: 1
  
  I would add one more thing -- that "leftpad-4.5.7" is from the same source as the author's source location. We've been finding that the minified code (blob, if you will) that the npm directory points to is not necessarily the exact same as what is in the author's source tree -- meaning what people would be inspecting is not necessarily what is being distributed.
  It could be that leftpad is doing bad things to you code -- you just may not notice it because the source and the blob are totally different.
25. Re: What a clusterfuck by Anonymous Coward · 2018-01-13 14:04 · Score: 0
  
  Please, please be joking.
  Leftpadding as a third-party library call?!?!?!
26. Re:What a clusterfuck by AmiMoJo · 2018-01-13 14:33 · Score: 1
  
  One of the open issues is because it doesn't handle NaN passed as the length parameter... Holy crap JavaScript is amazing.
  This unaccepted pull request to fix it is hilarious: https://github.com/stevemao/le...
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
27. Re: What a clusterfuck by Lunix+Nutcase · 2018-01-13 18:36 · Score: 1
  
  I wish I was.
  
  1.2.0 is the latest of 14 releases
  https://www.npmjs.com/package/...
28. Re:What a clusterfuck by Just+Some+Guy · 2018-01-13 19:02 · Score: 1
  
  That’s terrifying!
  
  --
  Dewey, what part of this looks like authorities should be involved?
29. Re:What a clusterfuck by Anonymous Coward · 2018-01-13 20:54 · Score: 0
  
  > "leftpad-4.5.7" comes from the same author who released 4.5.6 and not Boris in St. Petersburg.
  But, but,
  I thought it *was* Boris in St. Petersburg who released leftpad-4.5.6 !
  captcha: nonlocal
30. Re:What a clusterfuck by Anonymous Coward · 2018-01-13 21:20 · Score: 0
  
  This is Javascript we're talking about, mostly running on systems with CPUs vulnerable to Spectre. The sort of person who has no problem running the latest code from their fingers (or the advertisers' s code) on a customer's computer isn't likely to be concerned about being prudent about where their code comes from.
  So, yes, in a sane environment, all external code would be replicated in a local mirror, reviewed by malware-scanning tools, version controlled and tagged, and routinely reviewed by those tasked or inclined for security. These kinds of mishaps would come up in the proposed changelist for the next replication task, or if that got missed, trivially rolled back to the last known good configuration.
  We have fifty years of evolving best practice arrived at with blood, sweat, and tears, all discarded because the people who invented the world we live in "just don't understand". Mmmm hmmm.
31. Re:What a clusterfuck by thegarbz · 2018-01-13 22:35 · Score: 1
  
  This unaccepted pull request to fix it is hilarious: https://github.com/stevemao/le... [github.com]
  I think the single most amazing thing about that fix is that the single line change literally modifies ~10% of the code of the package :-)
32. Re:What a clusterfuck by Just+Some+Guy · 2018-01-14 06:58 · Score: 1
  
  To be honest, that PR is a great reason for why you'd want to use someone else's left padding function. Turns out there are about 100 ways to subtly screw it up in JavaScript, so it makes sense to collect everyone's wisdom in a single place rather than everyone trying to re-invent that (surprisingly non-trivial) wheel.
  
  --
  Dewey, what part of this looks like authorities should be involved?
wtf by Anonymous Coward · 2018-01-13 04:09 · Score: 0

Lovely article... What is npm?
1. Re:wtf by Lunix+Nutcase · 2018-01-13 04:15 · Score: 2
  
  A repository of shitty Javascript lbraries for incompetent Javascript monkeys.
2. Re:wtf by Anonymous Coward · 2018-01-13 05:24 · Score: 0
  
  It’s point-and-grunt for development.
3. Re:wtf by CaptainDork · 2018-01-13 05:32 · Score: 1
  
  Thank you so much for joining me here.
  
  Hello, my name is CaptainDork, and I admit that I don't know one single, solitary goddam thing about npm and my ignorance is more than I can take on my own.
  I need help
  
  --
  It little behooves the best of us to comment on the rest of us.
Re:why does anyone use online javascript libraries by Fly+Swatter · 2018-01-13 04:09 · Score: 2

Ignorance is bliss. On the plus side, it makes the house of cards web developers call a website these days, easier to knock over.
Mod parent up to +5 insightful. by Qbertino · 2018-01-13 04:13 · Score: 1

"Maintain your own dependencies!"
Bingo! Extra delicious cookie for you, sir! And a salute.

--
We suffer more in our imagination than in reality. - Seneca
The Javascript botnet by Anonymous Coward · 2018-01-13 04:17 · Score: 0

npm is a central point of failure. I actually had a dream that someone hacked javascript on a central server and caused a worldwide DDOS of websites.. It's time for noscript to be enabled by default in all browsers and only run scripts on servers that are local and not on a centralized server. But of course this will never happen. In fact Firefox crippled their noscript with the change to webextentions.
Another OpenSORES Failure by Anonymous Coward · 2018-01-13 04:36 · Score: 0

I hope my buddy APK blocks these domains in the next hosts file engine update to keep me safe from this incompetent group!
Funny video mocking NodeJS zealots by Hal_Porter · 2018-01-13 04:43 · Score: 2

Node.js Is Bad Ass Rock Star Tech

--
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Re:why does anyone use online javascript libraries by Anonymous Coward · 2018-01-13 04:59 · Score: 0

learn the proper use of commas, as your sentences make no sense because of your misuse of commas.
Re:why does anyone use online javascript libraries by Lunix+Nutcase · 2018-01-13 05:26 · Score: 1

Says the person using improper capitalization.
Pad left into progress... by cdreimer · 2018-01-13 06:01 · Score: -1

Last time a developer deleted his NPM packages and broke the Internet.
https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code/
This time the Internet didn't care when the admins deleted the wrong NPM packages. Progress?
1. Re:Pad left into progress... by Anonymous Coward · 2018-01-13 06:04 · Score: 0
  
  Man the harpoons! Thar be the whale named creimer!!
2. Re:Pad left into progress... by Anonymous Coward · 2018-01-13 06:45 · Score: 0
  
  Shut the fuck up creimer. Why don't you tell us about the time you said moving to mexico to marry an "underage sweet thing" was about "getting the most bang for your retirement dollar"
  Why did you talk about your job at the fbi on social media when your shitty government body shop told you not to?
3. Re:Pad left into progress... by Anonymous Coward · 2018-01-13 06:57 · Score: 0
  
  Didn't you get the memo? Creimer fired all his trolls yesterday. Your services are no longer needed. Don't let the door hit your ass on the way out.
4. Re:Pad left into progress... by Anonymous Coward · 2018-01-13 07:04 · Score: 0
  
  Creimer posted an on topic comment. Please do the same.
5. Re: Pad left into progress... by Anonymous Coward · 2018-01-13 07:52 · Score: 0
  
  You criemertards are as annoying as the beta fuckers of yore. Why don't you all go to a quiet corner an fuck each other.
  Oh wait, you are probably the same people.
  Oh wait, it's what you are already doing.
6. Re:Pad left into progress... by Lunix+Nutcase · 2018-01-13 08:11 · Score: 1
  
  And not even one Amazon affiliate link in sight.
7. Re:Pad left into progress... by Anonymous Coward · 2018-01-13 08:19 · Score: 0
  
  Yeah right fuck you. It's too late for that.
  It's even worse that you're posting on topic. This means you could have been a productive slashdotter any time you felt like it but you actively chose not to.
  I'd like to remind everyone that you will only act as good as you feel you're required to:
  You read every website's ToS carefully to find the hard limits of your shitty behavior.
  You acted like a raging asshole back when you thought you had millions of surplus positive karma points
  Back when you thought you could repair your karma with sockpuppets or story submissions you were a massive prick too.
  Now that you're finally out of cards you'll be a good boy? And we're supposed to just back off the second you make one marginally good post. We suggested that 6 months ago and that boat has sailed my friend. You'd sooner have them delete your account and start over than be where you're at now. It makes me happy knowing that it must eat you up to make a post like this.
8. Re:Pad left into progress... by Anonymous Coward · 2018-01-13 08:36 · Score: 0
  
  Game over. Fuck off.
9. Re:Pad left into progress... by Anonymous Coward · 2018-01-13 09:19 · Score: 0
  
  You sound bitters sweet fits!
10. Re:Pad left into progress... by Anonymous Coward · 2018-01-13 11:21 · Score: 0
  
  There you are now spamming youtube affiliate links with yet another fake account, you revenue stream hogging disgusting fat sexist tube of lard, Christopher Dale Reimer!
  You can be sure I will be watching this fake account too. I know this is you because you told me you were working on your freepass 11 file server and you are so dumb that you can't even masquerade yourself properly.
  Now, I told you I was out of meds last week and you didn't even care to contact me you lazy fucker.
  How many times do I have to express the emergency of the situation??????
  The python click script you wrote for my pheromone revenue stream web site suddenly stopped to work!!!!!!
  You fucking incompetent python script writer!!!
  When it works, I get 4000+ clicks a day on my pheromone revenue stream web site but only 5 or 6 without it!!!!
  Now, it seems like you dont care and that you have abandoned me you heartless fucking pig!
  Bonus:
  Here is a story that creimer told me when convincing me what a hard life he had:
  The tree was him and the tree knot was his butt hole!
  So, his uncle packed his fat ass with lard and with his cock! Not that it makes much of a difference but anyway, there it is!
  Signed:
  The girl that used to love you and now hates you, burn in hell where you belong you sexist pig!
11. Re:Pad left into progress... by Anonymous Coward · 2018-01-13 11:37 · Score: 0
  
  CREIMER' SUBMISSIONS UPDATE:
  Note also that creimer is trying to regain karma by getting his submissions published as articles on /. so make sure to go to:
  https://slashdot.org/~cdreimer
  https://slashdot.org/~Anonymou...
  https://slashdot.org/~FatCashe...
  https://slashdot.org/~ILoveFat...
  https://slashdot.org/~IHateFat...
  https://slashdot.org/~IAteFatC...
  https://slashdot.org/~ITapeFat...
  https://slashdot.org/~IApeFatC...
  https://slashdot.org/~IPrayFat...
  https://slashdot.org/~FatCashe...
  and mod down his submissions as well. The great thing is that you don't even need mod points to mod down a submission, just click on the "minus" icon!
  Yes, believe it or not, creimer owns all the above sock puppet accounts. It is a mystery why Slashdot management tolerates it!
  creimer wrote:
  
  I don't bother with mod points. I'm doing something much more sinister. It took ten story submissions ? I'll have to double check the number ? to move cdreimer's karma from neutral to excellent without ever being exposed to the capricious mods. Mmmmmwwwwahahahahahahaha!
  https://slashdot.org/comments....
  Danger, Will Robinson, Danger! Creimy is posting more than 2 posts a day. Hurry! mod down otherwise /. will go to hell again!
  Note: you can mod down even if already at -1 to lower karma and to prevent lost /. users to accidentally mod up.
  creimer wrote:
  
  All you need to do is find a website with a permissive TOS, say, Slashdot, create a Python script to scrape your own comments, sprinkle Amazon affiliate links in various posts, and then re-post past links whenever possible. Won't be long before you start making "coffee money" each month.
  https://slashdot.org/comments....
  C.D. Reimer is a renowned Slashdot collaborator, as he puts it himself; "Because of the quality of my posts and my article submissions, I'm a highly rated commentator and moderator."
  But does anybody ever wondered what "C.D." stands for? Well, it stands for Creimy Dumpty of course!
  Creimy Dumpty sat on the wall,
  Creimy Dumpty had a great fall.
  All the king's horses
  And all the king's men
  Couldn't put Creimy Dumpty
  Together again.
  Creimy's siblings video and theme song, very realistic, especially the pants, just like Creimy's:
  https://www.youtube.com/watch?...
  With "Vice President Pence Vowing US Astronauts Will Return To the Moon", we are sure they will need miracle workers up there, here is what it would look like. Note that Creimy takes care of bringing a lot of food to the moon as depicted below:
  https://www.youtube.com/watch?...
  Creimy's real pictures:
  Before the sex change:
  https://ibb.co/cc7Ddw
  After the sex change:
  https://ibb.co/gVad65
  Creimy's "enterprise-level" chair, he talks about it all the time on slashdot:
  http://www.keynamics.com/image...
  Creimy's head, while his supervisor was talking to him, not with him, since it is impossible to do with Creimy:
12. Re: Pad left into progress... by Anonymous Coward · 2018-01-13 11:43 · Score: 0
  
  Chris' case is getting worse, he spends all day replying to himself as AC on /.
  The tests we ran on Chris have shown that Chris has the intelligence of an ameba:
  https://en.wikipedia.org/wiki/...
  So, technically, he is able to conceive some kind of agenda but it will be silly or impossible to follow on a human scale.
  For example, Chris had an agenda to post anything he felt like on Slashdot which did not work well because it was based on his false beliefs that he had an infinite number of karma points as he wrote here several times.
  Several people here explained to Chris that karma maxed out at some level like 50 or so but Chris kept on insisting that his python script had confirmed that he had millions of karma points!
  Oh well, as I wrote before: "It isn't Chris' fault if he is the way he is. We do the best we can do with him and he is partially integrated into society. We try to cure his abnormal need for attention but he is kind of stubborn and won't listen to anybody."
  For the valuable /. users that might already have read the following, please note that there is an important update.
  IMPORTANT UPDATE:
  Special Education for the Santa Clara County Office of Education has invested money to buy Chris a new chair:
  http://www.keynamics.com/image...
  Information about Christopher Dale Reimer and autistic people:
  Autistic people have obsessions about things normal people don't care. For example, one of our autistic patient went haywire when he realized that there was a penny missing in his pocket change.
  To calm him down, one of our educator pretended to have found it on the floor and gave a penny to him.
  The autistic patient condition went even worse because he realized it wasn't the same penny!
  Chris has an obsession with budgeting every penny. He doesn't understand that most people do not budget to the penny and have a flexible amount they allow for miscellaneous items.
  I am Nancy Guerrero and I am Director of Special Education for the Santa Clara County Office of Education. We use Chris' (a.k.a. creimer,cdreimer) picture in our document because he is the hardest case we have ever had to handle:
  http://www.sccoe.org/depts/stu...
  Our artists were inspired by the low carb diet that Christopher follows scrupulously for the small lunch box and by the picture linked below for the rest. I am sure that you will notice the similarities such as the bump on the side of his chest and more:
  https://ibb.co/gVad65
  Please be easy on Christopher although, I am aware that some of our staff handling Chris post joke comments here and obvoiusly, the Santa Clara County Office of Education disapprove that behavior vehemently:
  http://ibb.co/mRVSaG
  But it isn't Chris' fault if he is the way he is. We do the best we can do with him and he is partially integrated into society. We try to cure his abnormal need for attention but he is kind of stubborn and won't listen to anybody.
  Thank You dear users,
  ---
  Nancy Guerrero
  Director
  Special Education
  Santa Clara County Office of Education
13. Re:Pad left into progress... by Anonymous Coward · 2018-01-13 11:46 · Score: 0
  
  No way! You're the bitter, sweet tits
14. Re:Pad left into progress... by Anonymous Coward · 2018-01-13 11:54 · Score: 0
  
  New Video: What Does Hyundai Mean? [youtu.be]
  Sorry mister cdreimer!
  I still don't know what Hyundai means. This video is a piece of trash! Was this some attempt at a joke or are you simply trolling?
15. Re:Pad left into progress... by Anonymous Coward · 2018-01-13 12:17 · Score: 0
  
  You've spammed Amazon links for months, posted over and over about child brides, and generally been a shitty poster for more than a decade. A single boring-but-on-topic post doesn't change that you are a shit stain who deserves to be driven off Slashdot, dragged out into the street, and shot like a dog.
16. Re: Pad left into progress... by Anonymous Coward · 2018-01-13 13:08 · Score: 0
  
  The creimertards are behaving badly after being dismissed by creimer. I wonder how long this will last.
17. Re:Pad left into progress... by Anonymous Coward · 2018-01-13 13:26 · Score: 0
  
  Don't feel too bad. Neither did the Korean guy playing the trivia contest and hostess kept throwing clues his way.
any idea what's in your dependencies? by neaorin · 2018-01-13 06:13 · Score: 4, Informative

I’m harvesting credit card numbers and passwords from your site. Here’s how.
Re: why does anyone use online javascript librarie by Anonymous Coward · 2018-01-13 06:20 · Score: 0

Your and such, idiot an should learn How too grammer and's, spells!
Re:why does anyone use online javascript libraries by Fly+Swatter · 2018-01-13 06:49 · Score: 1

You are supposed to read, that mouthful of a sentence, like William Shatner, and treat each comma as, a dramatic pause for effect.
Need a mirror by andymadigan · 2018-01-13 07:54 · Score: 1

First of all, if npm is having a lot of issues with package deletion, they need a "staging" repo and a promotion policy, to protect the production repo from breaking changes.

Also, as is industry practice with maven central, it sounds like any company using npm needs to run their own caching mirror, to keep permanent copies of the artifacts your company is using. Unfortunately, I don't think npm's support for private mirrors is as good as maven's.

Anyone know of a good solution to this?

--
The right to protest the State is more sacred than the State.
So another failure of APK to prevent an attack by Anonymous Coward · 2018-01-13 10:37 · Score: 0

So you are saying that retard APK's work failed yet again to prevent an attack.
He should be use to being a failure by now.
Even his parents regret not not aborting him.
Just because his software is such a sack of shit that it requires a rewrite when TLDs change doesn't meant he is incompetent.
By the way I hear it is also listed in the Misc section of some random web sites.
The story of creimy the montain and his royalties! by Anonymous Coward · 2018-01-13 11:02 · Score: 0

Here is the story of creimy the mountain and his royalties!
Listen to the audio version here:
https://www.youtube.com/watch?...
"Creimy The Mountain"
includes quotes from Pomp and Circumstance March No. 1 in D major (Edward Elgar), Johnny's Theme (Paul Anka), Off We Go Into The Wild Blue Yonder (Crawford), O Mein Papa (Paul Burkhard), Over The Rainbow (Harburg/Arlen), Star-Spangled Banner (Smith/Key), Suite: Judy Blue Eyes (Stephen Stills)
One, two, three
CREIMY the Mountain
CREIMY the Mountain
A regular picturesque
Postcardy mountain
Residing between lovely
Rosamond and Gorman
With his stunning wife ETHELL, A tree! A tree!
CREIMY was a mountain ETHELL was a tree Growing off of his shoulder
CREIMY was a mountain
(CREIMY was a mountain!)
ETHELL was a tree Growing off of his shoulder
(ETHELL was a tree growing off of his shoulder)
(hey, hey hey!)
Creimy had two big
Caves for eyes,
With a cliff for a jaw
That would go up 'n down,
And whenever it did,
He'd puff out some dust,
And hack up a boulder (HACK!) Hack up a boulder (HACK! HACK!)
Hack up a boulder (HACK! HACK! HACK!) Up a boulder
Now, one day, now I believe it was on a Tuesday, a man in a checkered double-knit suit drove up in a large El Dorado Cadillac, leased from BOB SPREEN
("Where the freeways meet in Downey!")
And he laid a HUGE, BULGING ENVELOPE right at the corner of CREIMY THE MOUNTAIN, that was right where his 'foot' was supposed to be.
Now, CREIMY THE MOUNTAIN, he couldn't believe it! All those postcards he'd posed for, for ALL OF THOSE YEARS, and finally, now, AT LAST, his Royalties!
Royalties! Royalties Royalties! Royalty check is in, honey!
Yes, CREIMY THE MOUNTAIN was RICH! Yes, and his eyeball-caves, they widened in amazement, and his jaw (which was a cliff), well it dropped thirty feet!
A bunch of dust puffed out! Rocks and boulders hacked up, (hack! hack!) crushing 'The LINCOLN'!
I gave him the money He acted real funny He hocked up a rock and It TOTALLED my car!
Oh, do you Know any trucks Might be bound for THE VALLEY?
I don't wanna stand here All night in this bar (Dear Lord)
I don't wanna stand here All night in this bar (No shit!)
I don't wanna stand here All night in this bar!
By two o'clock, when the bars are already closed down, CREIMY had broken 'THE BIG NEWS' to ETHELL. And with dust and boulders everywhere, CREIMY, choked with excitement, announced
"ETHELL, we're going on a VACATION!"
Yes, and they WERE going on a vacation! (Oh, and ETHELL, ETHELL, ETHELL, like every little woman, she of course was very excited! She creaked a little bit, and some old birds flew off of her.) CREIMY told ETHELL they were going to Yes! They were going to NEW YORK!
"ETHELL, we're going to New York!"
But first they were gonna stop in LAS VEGAS
It's off to LAS VEGAS to check out the lounges Pull a few handles,
And drink a few beers, (Oh, ETHELL!)
ETHELL, my darling, you know that I love you!
I'm glad we could have a Vacation this year! (Oh, NEET-O!)
Glad we could have a Vacation this year!
They left that night, crunchin' across the Mojave Desert their voices echoing through the canyons of your minds (POO-AAH!)
"ETHELL, wanna get a cuppa cawfee?"
(Howard Johnson's! Howard Johnson's!
Howard Johnson's! Howard Johnson's!)
"Ahhh! there's a HOWARD JOHNSONS! Wanna eat some CLAMS?"
The first noteworhty piece of real estate they destroyed was EDWARDS AIR FORCE BASE
And TO THIS VERY DAY, 'Wing Nuts' and Data Reduction Clerks alike, speak in reverent whispers about that fateful night when TEST STAND #1 and THE ROCKET SLED ITSELF (We have ignition!) got LUNCHED! I said LUNCHED! (Lunched!) By a FAMOUS MOUNTAIN-IN and his SMALL, WOODEN WIFE.
"Word just in to the KTTV News Service undeniably links THIS MOUNTAIN and HIS WIFE to drug abuse and