NPM Fails Worldwide With 'ERR! 418 I'm a Teapot' Error (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

NPM Fails Worldwide With 'ERR! 418 I'm a Teapot' Error (bleepingcomputer.com)

Posted by msmash on Tuesday May 29, 2018 @04:18AM from the oops-i-did-it-again dept.

Catalin Cimpanu, writing for BleepingComputer: Users of the NPM JavaScript package manager were greeted by a weird error yesterday evening, as their consoles and applications spewed a message of "ERR! 418 I'm a teapot" whenever they tried to update or install a new JavaScript/Node.js package. JavaScript developers from all over the world received the error, and not just in certain geographical regions. The bug did not affect all users, but only those behind a proxy server.

66 of 124 comments (clear)

Min score:

Reason:

Sort:

You gotta wonder by Zephyn · 2018-05-29 04:21 · Score: 4, Funny

How many people saw that error message and thought to themselves, "This Internet of Things concept is getting way out of hand."
1. Re:You gotta wonder by Anonymous Coward · 2018-05-29 04:57 · Score: 2, Insightful
  
  The 418 code was an April 1st joke, it really should not be in the codebase of any serious web application...
2. Re:You gotta wonder by arth1 · 2018-05-29 05:01 · Score: 4, Informative
  
  If you saw the error message, you used a command line interface with a proxy server, and thus were likely tech savvy. And then chances are you'd know about the 418 error code and RFC2324. It's 20 years old now, preceding IOT by quite a bit.
3. Re:You gotta wonder by Lunix+Nutcase · 2018-05-29 05:16 · Score: 3, Insightful
  
  Well then good news. NPM isn’t a serious web application. It’s an amateur hour piece of software.
4. Re:You gotta wonder by DontBeAMoran · 2018-05-29 06:13 · Score: 1
  
  It's nothing compared to "YouTube error 583, I'm a giraffe", which has affected 1.2 million users.
  
  --
  #DeleteFacebook
5. Re:You gotta wonder by rahvin112 · 2018-05-29 06:22 · Score: 3, Interesting
  
  Yet it's used directly by millions of people every day and with major applications. This is the problem with these hosted javascript scripts that people plug into their websites willy nilly. They are a shitshow where someone could gain access and plug malware into millions of websites and is a single point of failure. Not even going to touch the shitty programming parent alludes too. Anyone thinking of using this shit should pull copies and check it for security and code quality and host it on their own servers rather than just point to the script and load it dynamically.
  But that would be hard and who cares if it's hard. Funny thing is we just went through this a couple months ago when one of these major scripts hosting went down and it disabled 1/4 of the internet. You'd think people would learn from that.
6. Re:You gotta wonder by devman · 2018-05-29 06:35 · Score: 1
  
  You can also use subresource integrity.
7. Re:You gotta wonder by NicknameUnavailable · 2018-05-29 06:53 · Score: 1
  
  No real nerds fail to understand the meaning behind error 418, but the beasts will never understand.
8. Re:You gotta wonder by NicknameUnavailable · 2018-05-29 06:54 · Score: 1
  
  Yet it's used directly by millions of people every day
  Air is used by more and most of them are still fucking retarded.
9. Re: You gotta wonder by FormOfActionBanana · 2018-05-29 06:55 · Score: 1
  
  Don't be a doofus. It is unassigned. https://www.iana.org/assignmen...
  
  --
  Take off every 'sig' !!
10. Re:You gotta wonder by gweihir · 2018-05-29 07:01 · Score: 1
  
  Better than "lp0 on fire", now that might wake a few people up. Unfortunately, AFAIK, there is no HTTP error code for that.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
11. Re: You gotta wonder by Z00L00K · 2018-05-29 07:30 · Score: 1
  
  Because http wasn't invented when lp0 was created.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
12. Re: You gotta wonder by Lunix+Nutcase · 2018-05-29 07:58 · Score: 1
  
  No it’s not. Also it was part of a yearly joke RFC.
13. Re:You gotta wonder by q_e_t · 2018-05-29 08:31 · Score: 2
  
  I presume it is a panic that alludes to Tim Brooke-Taylor in The Goodies.
14. Re: You gotta wonder by Medievalist · 2018-05-29 09:16 · Score: 2
  
  RFC 2324 section 2.3.2 assigns error 418 as follows:
  
  Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout.
  So as long as NPM is RFC2324 compliant, that's a perfectly cromulent error code. :)
15. Re:You gotta wonder by Carewolf · 2018-05-29 11:41 · Score: 3, Funny
  
  Well then good news. NPM isn’t a serious web application. It’s an amateur hour piece of software.
  No it is obviously a teapot.
16. Re:You gotta wonder by kevingolding2001 · 2018-05-29 12:37 · Score: 1
  
  So I guess Google is not a serious web application then.
  http://www.google.com/teapot
17. Re: You gotta wonder by Lunix+Nutcase · 2018-05-29 15:19 · Score: 2
  
  It is a regrettably well spread misconception that publication as an
  RFC provides some level of recognition. It does not, or at least not
  any more than the publication in a regular journal. In fact, each
  RFC has a status, relative to its relation with the Internet
  standardization process: Informational, Experimental, or Standards
  Track (Proposed Standard, Draft Standard, Internet Standard), or
  Historic. This status is reproduced on the first page of the RFC
  itself, and is also documented in the periodic "Internet Official
  Protocols Standards" RFC (STD 1).
  https://tools.ietf.org/html/rf...
  Now let’s go to the I’m a Teapot RFC:
  
  Status of this Memo
  This memo provides information for the Internet community. It does
  not specify an Internet standard of any kind. Distribution of this
  memo is unlimited.
  So basically you’re wrong as can be.
18. Re: You gotta wonder by Lunix+Nutcase · 2018-05-29 15:20 · Score: 1
  
  And the person is double fail since that RFC even states it’s not a “standard of any kind.”
19. Re: You gotta wonder by gweihir · 2018-05-30 05:48 · Score: 1
  
  HTTP could have been backwards compatible...
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
ERR! 418 I'm a Teapot by Anonymous Coward · 2018-05-29 04:22 · Score: 3, Funny

Short and Stout!
1. Re:ERR! 418 I'm a Teapot by Oswald+McWeany · 2018-05-29 04:51 · Score: 1
  
  Short and Stout!
  That's not a teapot, that's a beer glass.
  
  --
  "That's the way to do it" - Punch
2. Re:ERR! 418 I'm a Teapot by syn3rg · 2018-05-29 04:57 · Score: 3
  
  IMAO, a beer glass should never be short. The contents, however, may be stout.
  
  --
  The contents of this message have been doubly encrypted by ROT13
3. Re:ERR! 418 I'm a Teapot by SuricouRaven · 2018-05-29 05:56 · Score: 1
  
  You are not familiar with the classic British beer glass? It is short. It is also wide. They have largely disappeared from pubs these days, as they are expensive to replace and make excellent brawling weapons.
4. Re:ERR! 418 I'm a Teapot by K.+S.+Kyosuke · 2018-05-29 07:24 · Score: 3, Funny
  
  Short and /dev/stdout?
  
  --
  Ezekiel 23:20
I'm too oldschool. by jellomizer · 2018-05-29 04:25 · Score: 2

I like to download my Javascript Framework and have it linked to the internal web-server.
Just for the sake that I don't want an extra point of failure. (Like this) Then you have a to worry about if the bigger target site got hacked and altered the Node.js file to do some nasty stuff from the file.
Other then getting updates automatic. What is the point?

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
1. Re:I'm too oldschool. by El+Cubano · 2018-05-29 04:48 · Score: 5, Insightful
  
  I like to download my Javascript Framework and have it linked to the internal web-server.
  That is not old school. It is the difference between being an amateur programmer and a professional software developer/engineer. To be clear, deploying anything meaninfgul into production based on drawing dependencies form a source which do not trust or directly control is an amateur move.
  For anything more complex than school/hobby project, and for every professional project, I make it a point to ensure the stability and availability of the dependencies. In some cases that might be as simple as ensuring the libraries are available and suitable as is in the Linux distro package repo (I generally trust Debian, RHEL, and Suse for stuff like this). In the case where the packages are not available or they are only available from a potentially unreliable source (Fedora, NPM, CPAN, Maven central, RubyForge, etc.) I make sure to make a local copy (either stand up my own repository or incorporate the depednecny into source control directly). That way I can be assured that the dependency continues to be available to and working when I need.
  Granted, doing that means that one accepts the burden/responsibility of keeping the depedency up to date and tracking the vendor/upstream security advisories. But then, that is why (good) software developers/engineers get paid well.
2. Re:I'm too oldschool. by TheDarkMaster · 2018-05-29 06:30 · Score: 4, Insightful
  
  This. Oh boy, this. I'm fucking sick of seeing all these websites developed in this completely amateur way using javascripts files from several external sources to the site itself where each of them is a potential source of problems and security breaches, and this is not to mention the cases where these scripts call other scripts from other sites that in turn also call other scripts in a lunatic chain of operations to do things that should be contained within the original site.
  
  --
  Religion: The greatest weapon of mass destruction of all time
3. Re:I'm too oldschool. by jellomizer · 2018-05-29 06:35 · Score: 2
  
  "I write my server side code in C" Leaving you programs open to buffer overflow and memory leaks.
  "my CGI lib is fucking bulletproof since the functions are ancient and have been hammered on for decades" So it is relatively simple.
  "I write my client side code in C and use Emscripten to compile my code to ASM.js " So you code a low level language and compile it to a high level language?
  "Since I have a C complier targeting browsers this means I can use ANY FUCKING SOFTWARE I WANT on either the client or server since EVERYTHING is written in C. All of today's "self hosting" languages bootstrap themselves using C..." Assuming of course you have the source, and any particular library that will actually work for your platform.
  I have found such developers who call themselves old school and do all this stuff, are just less likely to learn something new. C has its place, However the browser more "Natively" uses JavaScript. And either you take a long time to do development, or your set of tools that you have build over a decade is the equivalent of one of those fancy new language.
  Back in the early/mid 1990's I did my stuff in C, because that was the only good option. Later in my career I have started to use higher level languages. Just because it allows me to write code quickly, and other junior developers are able to pick up and maintain the program, after I have done all the heavy legwork.
  I have had a strong track record of over 20 years web development, I never had to deal with a successful hack, and some of my code has been heavily hit. However I don't claim it is bullet proof, it is as good as I can make it.
  However NPM links to JavaScript files never seemed to explain what the real benefit is.
  I only see two advantages:
  1. Security Patches can be applied seamlessly.
  2. If your hosting is limited, having these relatively big JS files downloaded form an other site can save on bandwidth.
  But these are small issues. But I see the costs much more then the benefits.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
4. Re:I'm too oldschool. by jellomizer · 2018-05-29 06:38 · Score: 1
  
  "But then, that is why (good) software developers/engineers get paid well."
  Of course your bosses who get paid better will tell you to do it the stupid way, because they don't want to accept risk. They much rather see the customers not be able to work and have someone else to blame. Then have an overall higher update, but take blame when there is an issue.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
5. Re:I'm too oldschool. by aaarrrgggh · 2018-05-29 07:50 · Score: 1
  
  I love it. Makes it easier to block all the useless shit with noscript...
6. Re:I'm too oldschool. by HiThere · 2018-05-29 10:14 · Score: 1
  
  You make an interesting commentary on rust.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
7. Re:I'm too oldschool. by K.+S.+Kyosuke · 2018-05-30 01:32 · Score: 1
  
  I have found such developers who call themselves old school and do all this stuff, are just less likely to learn something new.
  That will probably be important once "something new" appears. So far the software industry at large is catching up with computing infrastructure research of the 1980s.
  
  --
  Ezekiel 23:20
Proving Once and for All by Anonymous Coward · 2018-05-29 04:28 · Score: 1

It's never oolong before working in javascript stabs programmers right in the puer!
1. Re:Proving Once and for All by BronsCon · 2018-05-29 04:52 · Score: 1
  
  I tea what you did there.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Best 400 Error Code! by Murdoch5 · 2018-05-29 04:29 · Score: 1

418 is by far the best 400 code you can generate and it's hilarious!
Re:Open source trolls? by Spinlock_1977 · 2018-05-29 04:37 · Score: 1, Informative

Do your research before anonymously flinging mud please. HTTP 418 is a legitimate error code: https://developer.mozilla.org/...

--
- The Kessel run is for nerf herders. I can circumnavigate the entire Central Finite Curve in a lot less than 12 parse
Time for a change in leadership by Anonymous Coward · 2018-05-29 04:39 · Score: 2, Interesting

There was zero response (that I could see) from the NPM team until a maintainer locked the thread and chided commenters for repeating that they too were receiving the error. This is the third or fourth time there's been a major issue that screws people relying on npm, and if the team hasn't fixed the process by now, it might be good to find a different team that can.
1. Re:Time for a change in leadership by Galactic+Dominator · 2018-05-29 04:57 · Score: 2
  
  If NPM users haven't learned by now they can't rely on that infrastructure, then maybe it's time to review your process. Live by the upstream, die by the upstream. Therefore I host my own upstream.
  
  --
  brandelf -t FreeBSD /brain
Trivial Projects Require Frameworks by Anonymous Coward · 2018-05-29 04:39 · Score: 1

It seems the more trivial the project, the more complex of a framework it requires.
"Project Bang, requires Kong, to Compile Throng, to make lint to compile druffle to enable truffle to fluffle the socksifer."
100s of Mbs of crap to compile some trivial program, sometimes even GBs of other crapware that will only be used once.
This is why snaps and containers are awesome, I don't pollute my system with crap, and I can remove it at the drop of a hat.
Whatever happened to "make"?
Then again, I just answered my own question. I'd rather deal with a huge download once, than manually purging my system of crap.
Re:Open source trolls? by Anonymous Coward · 2018-05-29 04:46 · Score: 2, Informative

It is a legitimate error code only if the device is an actual teapot and was asked to brew coffee. That is not the case in this situation, and the error code is being misused.
Don't make tea in a coffee pot by jfdavis668 · 2018-05-29 04:52 · Score: 1

You wouldn't get that error if you made coffee. You can't make tea in a coffee pot!
1. Re:Don't make tea in a coffee pot by jfdavis668 · 2018-05-29 04:53 · Score: 1
  
  I think I got that backward. You can't make coffee in a tea pot.
2. Re:Don't make tea in a coffee pot by HiThere · 2018-05-29 10:19 · Score: 1
  
  Sure you can also make coffee in a teapot. You can either use instant, or add a raw egg to the grounds.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
To be expected. by Gravis+Zero · 2018-05-29 04:54 · Score: 2

This what happens when you model your software after a house of cards.

--
Anons need not reply. Questions end with a question mark.
yeah, I did that. by Thud457 · 2018-05-29 04:56 · Score: 1

You can't, but I bet Jim Holden can.

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Re:This is why by jfdavis668 · 2018-05-29 04:57 · Score: 1

That's it, I'm writing my own OS, network stack, web server, database server, etc. I'll be up and running in about 20 years.
Didn't NPM fuck up a while ago as well? by wardrich86 · 2018-05-29 05:12 · Score: 1

IIRC there was something wonky with their Github page a few months ago (maybe last year) that caused a bunch of trouble.
Re:Java FTW! by HornWumpus · 2018-05-29 05:16 · Score: 1

No, no, no. As OS written in Javascript...running on a hypervisor also written in Javascript...all of which have their code residing on random shares setup on game consoles.

--
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Re:This is why by OrangeTide · 2018-05-29 05:19 · Score: 1

That's my plan as well. I started my web server OS + compiler project in 1997, and I'm way behind.
(honestly NaviServer/AOLserver sort of filled my needs at the time and I never got around to doing my own project, even though it sounds amazing on paper. Then I discovered Inferno and realized my ideas weren't anything new)
P.S. Luvit is a Lua-based NodeJS-like server and could probably be ported to run bare metal ESP32 or RPi. So for the crazy hyper-DIY coder that model might be feasible in only 5-10 years instead of 20.

--
“Common sense is not so common.” — Voltaire
Re:I felt a great disturbance in the javascript by arth1 · 2018-05-29 05:31 · Score: 2

and were suddenly silenced
No, that would be the 451 error code.
Could be worse by iTrawl · 2018-05-29 05:44 · Score: 4, Funny

Could have been: 419 I'm a Nigerian Prince.

--
"Everybody's naked underneath" -- The Doctor
1. Re:Could be worse by Tablizer · 2018-05-29 07:12 · Score: 1
  
  I for one welcome our Nigerian teapot overlords.
  
  --
  Table-ized A.I.
2. Re:Could be worse by PPH · 2018-05-29 07:48 · Score: 1
  
  Or ERR 420: Dude! What?
  
  --
  Have gnu, will travel.
3. Re:Could be worse by q_e_t · 2018-05-29 08:41 · Score: 1
  
  Dude where's my JavaScript?
Re:I felt a great disturbance in the javascript by SuricouRaven · 2018-05-29 05:58 · Score: 1

I've encountered the 451 code myself, when making a web crawler: It's the code that the ipfs.io gateway will return if you request from it an object which is on their blacklist of things they have received takedowns for.
That being IPFS though, it's trivial to just use another gateway.
Re:Open source trolls? by Anonymous Coward · 2018-05-29 05:59 · Score: 1

Do your research before anonymously flinging mud please. HTTP 418 is a legitimate error code: https://developer.mozilla.org/...
It is not legitimate at all. Check the official docs, not Mozilla's: https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
Why? by SuricouRaven · 2018-05-29 06:08 · Score: 1

Why does Javascript even need a repository? Between that, node.js and jquery, it's starting to look like someone has been reinventing the library stack with quickbasic at the foundation.
1. Re:Why? by q_e_t · 2018-05-29 08:42 · Score: 1
  
  Shhh
Re:prinrter error imsert cheeseburger by HornWumpus · 2018-05-29 06:31 · Score: 1

Worked with a thumper back in DOS days.
I flashed her computer's bios. 'Adopt, retry, fail? Complete waste of time, but better than working.

--
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
Not very stout by Khyber · 2018-05-29 06:36 · Score: 1

But then again, NPM and maintainers aren't known for being the brightest bulbs, either. I can think of four other times they've fucked up just in recent memory.

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Re:Open source trolls? by FormOfActionBanana · 2018-05-29 06:58 · Score: 1

It is unassigned, asshat. https://www.iana.org/assignmen...

--
Take off every 'sig' !!
Re:Why I write my OWN code (no 3rd party) by EETech1 · 2018-05-29 07:07 · Score: 1

APK Hosts File Engine 2.0++ 64-bit for Linux
Link?
Re:This is why by q_e_t · 2018-05-29 08:40 · Score: 1

I'm starting with emacs and will be done in three
Re:7 proxies by q_e_t · 2018-05-29 08:43 · Score: 1

And one proxy to bind them all?
Re:Java FTW! by K.+S.+Kyosuke · 2018-05-30 01:30 · Score: 1

Replace "Java" with "Oberon" and you'll make me quite happy.

--
Ezekiel 23:20