The npm blog has been discontinued.
on dependency squatter packages
This week, after we announced changes to our unpublish policy, some community members created a series of packages that depend on every package in the registry. Functionally, these packages exist to ensure that every package has at least one dependent package. A full list of these packages is here.
Other members of the community quickly notified us of these packages. In response, we have contacted the authors of these packages and we are removing all of these packages from the registry, effective 6:00pm PST today (March 30, 2016).
All of the authors we contacted were cooperative and acted in good faith to our requests :) This is not a fight- we’re communicating this situation for the sake of transparency, not drama.
Here’s why we’ve taken this step:
- These packages are harmful. If an npm user were to try to install one of them, the installation most likely would fail. Worse, there’s the small chance that installing would succeed … in filling up their hard drive with a lot of junk, and spinning their CPU for a very long time. We can’t guarantee the safety or security of all packages in the registry, but when we learn about packages with harmful effects like these, we have a responsibility to act to protect the community.
We utterly depend on our community — for making the npm registry useful and safe for everyone, and for helping us make policies that balance everyone’s needs and keep everyone safe. We’re grateful to everyone who reached out to alert us to these packages — honestly, thank you! — and we’re also open to continue discussing it with you to understand your concerns. If you have concerns or questions, please contact firstname.lastname@example.org.
Here is the email we sent to the authors of these packages.