News

Hacker blocks removal of packages from npm registry with memepackage

By admin
Spread the love

Due to a prank by an npm contributor, developers were unable to remove their npm packages from the central registry for days. A hacker published a package that included all other npm packages, which led to unexpected problems.

On December 29, npm user published gdi2290 a package in the npm registry containing five dependencies that together automatically include every other published npm package. That package is called everything and contains according to researchers a readme in which the makers call not to install the package. It is said to be a meme package and not intended seriously, but despite only 224 installations, the repo turned out to have major consequences for other developers.

First of all, the package can cause a denial of service because more than three thousand npm chunks containing millions of packages are downloaded from the central registry during an installation. But the biggest problem lies in npm’s policy to automatically remove packages from the registry. One of the criteria of that policy is that packages can only be unpublished if no other package has included them in a dependency.

Because the everythingpackage did that, it turned out to be no longer possible to remove packages yourself. This also meant that the original uploader could no longer delete the package. He had to contact npm and parent company GitHub, which said it would remove the package.

You might also like
News

Android 14 beta brings support for a desktop mode

News

Good news for TSMC: its 3nm node will take flight in 2024 thanks to the push of these…

News

The most boring technology of the 21st century: Intel has only grown 5% since 2000

News

Google Password Manager can start sharing passwords with partners or children

News

PlayStation 5 beta update improves audio from DualSense controller

News

Rumor: Android 15 puts apps in ‘edge-to-edge’ mode by default