back to article Wondering where your JavaScript libs went? Spam-detection snafu exiled npm packages

On the defensive after a malware kerfuffle last year, code registry npm shot first before asking questions over the weekend – and is now apologizing for the errant execution. The keeper of hundreds of thousands of Node.js packages and other JavaScript libraries wrongly removed the account "floatdrop" belonging to developer …

  1. Comments are attributed to your handle

    Truly a pinnacle of software engineering.

    These are just fucking code snippets - let's stop calling them "libraries".

    Examples (albeit some of the more humorously short ones): get-iterable, httpinkie, flatit

    npm is basically an automated way of jotting down which snippets of code you've lifted from Stack Overflow.

    1. Anonymous Coward
      Anonymous Coward

      Re: Truly a pinnacle of software engineering.

      Don't worry - some of us are fetching code directly from stack overflow instead. Very entertaining!

  2. Temmokan

    So we saw a simple scheme to disrupt multiple npm applications in a wink of an eye - copy widely used package's README, post dubious-looking package and voila, all the javascripters are pulling hairs out of their rear ends.

    I wonder, do people managing npm ever tested such a scenario before (a rhetoric question)?

    Looks like they would never do, until another incident strikes.

  3. DCFusor Silver badge

    Foot gun fully operational

    I'm having snark overload.

    So, (no expert on web dev, I do REAL code) - programmers too dumb to either write their own or manage their dependencies - lo, even checking or unit testing them before deployment - depending on a questionable source that can change anytime, put online by someone who neither knows nor cares about them, working for companies too cheap to serve their own bits or pay real programmers, fail regularly when the things they depend on, but shouldn't, glitch? Do I have that right?

    Is this a devops things or is it agile? The stupid all runs together for we old guys.

    Too bad I retired 20 years ago. In today's market I'd be worth SERIOUS bucks. My stuff actually works.

    1. Ken Hagan Gold badge

      Re: Foot gun fully operational

      "The stupid all runs together for we old guys."

      You are too kind, and not especially old. I'm trying to teach my kids about revision control before they get too deep into their own projects.

      These guys are on level 1 : not even repeatable from one day to the next because they don't actually control their own code.

  4. Destroy All Monsters Silver badge

    Development: Gone Wrong, Gone Bad

    Hopefully nobody got hurt when the Play-Doh applications croaked.

    Meanwhile, Java code is happily humming in the backend, uses threads and SQL for normal levels of productivity and sanity (btw: Threads Without the Pain) without the Promise cancer, uses only a few bunches of 3rd party libraries AND is killing Node.js in performance benchmarks.

    1. boltar Silver badge

      Re: Development: Gone Wrong, Gone Bad

      "Meanwhile, Java code is happily humming in the backend, uses threads and SQL for normal levels of productivity and sanity"

      And boatloads of memory compared to a similar backend system written in C++. ;o)

      But I'd still take java over the kiddies playpen enviroment known as javascript where code writing monkeys (sorry, I'm not going to call them developers) seem to think its perfectly ok for the crap they dish up to pull in unverified code from multiple different sources every fucking time it runs because they're too goddamn incompetent to write even simple algorithms that wouldn't challenge your average school kid computer enthusiast. I mean where the hell do you start with the security implications of that not to mention the network inefficiencies? The whole web stack is an utter POS and should be redesigned from the ground up from the HTTP model via javascript to CSS and all the other 2nd rate brainfarts that got included into it because the W3C couldn't even spell "clue" , never mind get one.

  5. Notas Badoff

    Risk analysis

    Hmm, this bit here looks wrong. What would happen if we disable it?

    A) production goes down

    B) payroll goes down (and it's end-of-month)

    C) muzak goes down

    Presumably NPMinc has tracking statistics where they could ask the question: how many people/downloads per day for this project?

    Hey, you want to invalid $1000 dollar bills? Nobody will notice. $20 dollar bills? Revolution.

  6. Peter Prof Fox

    Large scale experiment is useful

    npm and github are examples of libraries without librarians. It's sort-of quite convenient to have a rapid cluster of code around some particular idea. Of course there are 1000 me-too solutions when 10 might be a more manageable number. Until repositories like this are properly curated they're always going to be 'I got it from a man in the pub' reliability. The other thing is that 'quality' can't be measured by % of unit tests passed. It's part of the user's guide, but documentation, stability, applicability, flexibility, robustness, adaptability should be are big issues for system builders. So: Jolly good for automating updates which is no mean feat, but keep on working at the rest.

  7. Elledan

    The better way

    One thing which amazes me so much about the JavaScript and Java ecosystems ('swamps'?) is that their idea of 'dependency management' involves pulling libraries and snippets from all across the internet. Whether it's NPM or Maven (Nexus), the issue remains the same. Good luck compiling that 1-year old project because some crucial dependencies no longer match or have gone AWOL.

    Or hey, maybe you fancy compiling/building a project somewhere where pulling down half a GB of dependencies won't go over so well?

    In the very comfortable world of C/C++ development, libraries usually take the form of a few MB (or kB) of source and a DLL/SO file if it's particularly big. You get them from one's package manager (Aptitude, Pacman, etc.) which is a repository curated by the same people responsible for your OS (or close enough, like with MSYS2).

    Of course, the Java ecosystem seems to be currently moving to a dependency-less environment, minus one: the entire Spring universe. As soon as Java on Android is dead, they can probably just drop the 'Java' name and go with just 'Spring' :)

  8. Jonathan 27 Bronze badge

    The just demonstrates the major weakness with NPM and integrating it so deeply with your development. It falls over and your build chain falls over. Sadly, it's very difficult to avoid these days. My company does primarily .NET web apps, but we're still reliant on NPM for bower, grunt and some other tools from NPM (and bower for front-end components, which is just as bad). It's really difficult to avoid these days, even if you don't like or trust it. The one plus is that at least deployed systems still work, it's not like using a CDN where if that does down EVERYTHING does down.

    1. Anonymous Coward
      Anonymous Coward

      "Sadly, it's very difficult to avoid these days."

      No it isn't. You do what every professional developer with an ounce of competence has been doing for the last 40-odd years and run your own local repositories.

      Rule 1) Do not depend on external repositories.

      Rule 2) Really, just don't.

  9. FatGerman

    I don't use it..

    .. so maybe this is an obvious question but surely in a sane, well-managed, version controlled development environment, external dependencies would be downloaded and stored locally with the source in a version control system, labelled, and used from there. Otherwise you're in a situation where your critical app depends on something you have no control over. You don't upgrade the external dependencies without a thorough round of testing first. Or is this what's meant by 'agile'. In that you need to be to get away from the angry customers?

    1. Anonymous Coward
      Anonymous Coward

      RE: Or is this what's meant by 'agile'

      This isn't the first dig at agile in this thread, and whilst I get that some disapprove of it I find it really annoying that something (package management and external dependencies) which has *absolutely nothing* to do with agile is being used as a stick for pet hates.

      Bad dependency handling happens in waterfall too (and any other way of working you care to think of).

      It's conflating two things that are entirely unrelated. If you don't get that, then you really need to discover what agile actually is - and then at least hate it with the added benefit of knowing why.

      1. HieronymusBloggs Silver badge

        Re: RE: Or is this what's meant by 'agile'

        "If you don't get that, then you really need to discover what agile actually is - and then at least hate it with the added benefit of knowing why."

        I suspect your joke detector may need adjusting.

  10. Alistair Silver badge

    as for the "Libraries without librarians" comment, I call those dumpsters. Or at the very least recycle bins.

    And the devs around here wonder why I make them use *our* repos.....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019