NPM Fails Worldwide With 'ERR! 418 I'm a Teapot' Error (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

NPM Fails Worldwide With 'ERR! 418 I'm a Teapot' Error (bleepingcomputer.com)

Posted by msmash on Tuesday May 29, 2018 @04:18AM from the oops-i-did-it-again dept.

Catalin Cimpanu, writing for BleepingComputer: Users of the NPM JavaScript package manager were greeted by a weird error yesterday evening, as their consoles and applications spewed a message of "ERR! 418 I'm a teapot" whenever they tried to update or install a new JavaScript/Node.js package. JavaScript developers from all over the world received the error, and not just in certain geographical regions. The bug did not affect all users, but only those behind a proxy server.

22 of 124 comments (clear)

Min score:

Reason:

Sort:

You gotta wonder by Zephyn · 2018-05-29 04:21 · Score: 4, Funny

How many people saw that error message and thought to themselves, "This Internet of Things concept is getting way out of hand."
1. Re:You gotta wonder by Anonymous Coward · 2018-05-29 04:57 · Score: 2, Insightful
  
  The 418 code was an April 1st joke, it really should not be in the codebase of any serious web application...
2. Re:You gotta wonder by arth1 · 2018-05-29 05:01 · Score: 4, Informative
  
  If you saw the error message, you used a command line interface with a proxy server, and thus were likely tech savvy. And then chances are you'd know about the 418 error code and RFC2324. It's 20 years old now, preceding IOT by quite a bit.
3. Re:You gotta wonder by Lunix+Nutcase · 2018-05-29 05:16 · Score: 3, Insightful
  
  Well then good news. NPM isn’t a serious web application. It’s an amateur hour piece of software.
4. Re:You gotta wonder by rahvin112 · 2018-05-29 06:22 · Score: 3, Interesting
  
  Yet it's used directly by millions of people every day and with major applications. This is the problem with these hosted javascript scripts that people plug into their websites willy nilly. They are a shitshow where someone could gain access and plug malware into millions of websites and is a single point of failure. Not even going to touch the shitty programming parent alludes too. Anyone thinking of using this shit should pull copies and check it for security and code quality and host it on their own servers rather than just point to the script and load it dynamically.
  But that would be hard and who cares if it's hard. Funny thing is we just went through this a couple months ago when one of these major scripts hosting went down and it disabled 1/4 of the internet. You'd think people would learn from that.
5. Re:You gotta wonder by q_e_t · 2018-05-29 08:31 · Score: 2
  
  I presume it is a panic that alludes to Tim Brooke-Taylor in The Goodies.
6. Re: You gotta wonder by Medievalist · 2018-05-29 09:16 · Score: 2
  
  RFC 2324 section 2.3.2 assigns error 418 as follows:
  
  Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout.
  So as long as NPM is RFC2324 compliant, that's a perfectly cromulent error code. :)
7. Re:You gotta wonder by Carewolf · 2018-05-29 11:41 · Score: 3, Funny
  
  Well then good news. NPM isn’t a serious web application. It’s an amateur hour piece of software.
  No it is obviously a teapot.
8. Re: You gotta wonder by Lunix+Nutcase · 2018-05-29 15:19 · Score: 2
  
  It is a regrettably well spread misconception that publication as an
  RFC provides some level of recognition. It does not, or at least not
  any more than the publication in a regular journal. In fact, each
  RFC has a status, relative to its relation with the Internet
  standardization process: Informational, Experimental, or Standards
  Track (Proposed Standard, Draft Standard, Internet Standard), or
  Historic. This status is reproduced on the first page of the RFC
  itself, and is also documented in the periodic "Internet Official
  Protocols Standards" RFC (STD 1).
  https://tools.ietf.org/html/rf...
  Now let’s go to the I’m a Teapot RFC:
  
  Status of this Memo
  This memo provides information for the Internet community. It does
  not specify an Internet standard of any kind. Distribution of this
  memo is unlimited.
  So basically you’re wrong as can be.
ERR! 418 I'm a Teapot by Anonymous Coward · 2018-05-29 04:22 · Score: 3, Funny

Short and Stout!
1. Re:ERR! 418 I'm a Teapot by syn3rg · 2018-05-29 04:57 · Score: 3
  
  IMAO, a beer glass should never be short. The contents, however, may be stout.
  
  --
  The contents of this message have been doubly encrypted by ROT13
2. Re:ERR! 418 I'm a Teapot by K.+S.+Kyosuke · 2018-05-29 07:24 · Score: 3, Funny
  
  Short and /dev/stdout?
  
  --
  Ezekiel 23:20
I'm too oldschool. by jellomizer · 2018-05-29 04:25 · Score: 2

I like to download my Javascript Framework and have it linked to the internal web-server.
Just for the sake that I don't want an extra point of failure. (Like this) Then you have a to worry about if the bigger target site got hacked and altered the Node.js file to do some nasty stuff from the file.
Other then getting updates automatic. What is the point?

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
1. Re:I'm too oldschool. by El+Cubano · 2018-05-29 04:48 · Score: 5, Insightful
  
  I like to download my Javascript Framework and have it linked to the internal web-server.
  That is not old school. It is the difference between being an amateur programmer and a professional software developer/engineer. To be clear, deploying anything meaninfgul into production based on drawing dependencies form a source which do not trust or directly control is an amateur move.
  For anything more complex than school/hobby project, and for every professional project, I make it a point to ensure the stability and availability of the dependencies. In some cases that might be as simple as ensuring the libraries are available and suitable as is in the Linux distro package repo (I generally trust Debian, RHEL, and Suse for stuff like this). In the case where the packages are not available or they are only available from a potentially unreliable source (Fedora, NPM, CPAN, Maven central, RubyForge, etc.) I make sure to make a local copy (either stand up my own repository or incorporate the depednecny into source control directly). That way I can be assured that the dependency continues to be available to and working when I need.
  Granted, doing that means that one accepts the burden/responsibility of keeping the depedency up to date and tracking the vendor/upstream security advisories. But then, that is why (good) software developers/engineers get paid well.
2. Re:I'm too oldschool. by TheDarkMaster · 2018-05-29 06:30 · Score: 4, Insightful
  
  This. Oh boy, this. I'm fucking sick of seeing all these websites developed in this completely amateur way using javascripts files from several external sources to the site itself where each of them is a potential source of problems and security breaches, and this is not to mention the cases where these scripts call other scripts from other sites that in turn also call other scripts in a lunatic chain of operations to do things that should be contained within the original site.
  
  --
  Religion: The greatest weapon of mass destruction of all time
3. Re:I'm too oldschool. by jellomizer · 2018-05-29 06:35 · Score: 2
  
  "I write my server side code in C" Leaving you programs open to buffer overflow and memory leaks.
  "my CGI lib is fucking bulletproof since the functions are ancient and have been hammered on for decades" So it is relatively simple.
  "I write my client side code in C and use Emscripten to compile my code to ASM.js " So you code a low level language and compile it to a high level language?
  "Since I have a C complier targeting browsers this means I can use ANY FUCKING SOFTWARE I WANT on either the client or server since EVERYTHING is written in C. All of today's "self hosting" languages bootstrap themselves using C..." Assuming of course you have the source, and any particular library that will actually work for your platform.
  I have found such developers who call themselves old school and do all this stuff, are just less likely to learn something new. C has its place, However the browser more "Natively" uses JavaScript. And either you take a long time to do development, or your set of tools that you have build over a decade is the equivalent of one of those fancy new language.
  Back in the early/mid 1990's I did my stuff in C, because that was the only good option. Later in my career I have started to use higher level languages. Just because it allows me to write code quickly, and other junior developers are able to pick up and maintain the program, after I have done all the heavy legwork.
  I have had a strong track record of over 20 years web development, I never had to deal with a successful hack, and some of my code has been heavily hit. However I don't claim it is bullet proof, it is as good as I can make it.
  However NPM links to JavaScript files never seemed to explain what the real benefit is.
  I only see two advantages:
  1. Security Patches can be applied seamlessly.
  2. If your hosting is limited, having these relatively big JS files downloaded form an other site can save on bandwidth.
  But these are small issues. But I see the costs much more then the benefits.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Time for a change in leadership by Anonymous Coward · 2018-05-29 04:39 · Score: 2, Interesting

There was zero response (that I could see) from the NPM team until a maintainer locked the thread and chided commenters for repeating that they too were receiving the error. This is the third or fourth time there's been a major issue that screws people relying on npm, and if the team hasn't fixed the process by now, it might be good to find a different team that can.
1. Re:Time for a change in leadership by Galactic+Dominator · 2018-05-29 04:57 · Score: 2
  
  If NPM users haven't learned by now they can't rely on that infrastructure, then maybe it's time to review your process. Live by the upstream, die by the upstream. Therefore I host my own upstream.
  
  --
  brandelf -t FreeBSD /brain
Re:Open source trolls? by Anonymous Coward · 2018-05-29 04:46 · Score: 2, Informative

It is a legitimate error code only if the device is an actual teapot and was asked to brew coffee. That is not the case in this situation, and the error code is being misused.
To be expected. by Gravis+Zero · 2018-05-29 04:54 · Score: 2

This what happens when you model your software after a house of cards.

--
Anons need not reply. Questions end with a question mark.
Re:I felt a great disturbance in the javascript by arth1 · 2018-05-29 05:31 · Score: 2

and were suddenly silenced
No, that would be the 451 error code.
Could be worse by iTrawl · 2018-05-29 05:44 · Score: 4, Funny

Could have been: 419 I'm a Nigerian Prince.

--
"Everybody's naked underneath" -- The Doctor