npm Blog (Archive)

The npm blog has been discontinued.

Updates from the npm team are now published on the GitHub Blog and the GitHub Changelog.

on dependency squatter packages

This week, after we announced changes to our unpublish policy, some community members created a series of packages that depend on every package in the registry. Functionally, these packages exist to ensure that every package has at least one dependent package. A full list of these packages is here.

Other members of the community quickly notified us of these packages. In response, we have contacted the authors of these packages and we are removing all of these packages from the registry, effective 6:00pm PST today (March 30, 2016).

All of the authors we contacted were cooperative and acted in good faith to our requests :) This is not a fight- we’re communicating this situation for the sake of transparency, not drama.

Here’s why we’ve taken this step:

  1. These packages violate npm’s Terms of Use. Much like a squatter package, packages like these have no individual functionality beyond depending on other packages.
  2. These packages perpetuate a misunderstanding of our updated unpublish policy. Some community members are concerned that packages like these make unpublishing packages completely impossible after the new 24 hour window, but this is not the case. These packages violate npm’s terms of use, so they aren’t valid package dependents. Having them alone wouldn’t make it impossible to unpublish a package — meaning the exercise doesn’t even meet its intended goal.
  3. These packages are harmful. If an npm user were to try to install one of them, the installation most likely would fail. Worse, there’s the small chance that installing would succeed … in filling up their hard drive with a lot of junk, and spinning their CPU for a very long time. We can’t guarantee the safety or security of all packages in the registry, but when we learn about packages with harmful effects like these, we have a responsibility to act to protect the community.

We utterly depend on our community — for making the npm registry useful and safe for everyone, and for helping us make policies that balance everyone’s needs and keep everyone safe. We’re grateful to everyone who reached out to alert us to these packages — honestly, thank you! — and we’re also open to continue discussing it with you to understand your concerns. If you have concerns or questions, please contact community@npmjs.com.

Here is the email we sent to the authors of these packages.