by defied on 1/6/24, 7:22 PM with 151 comments
by superasn on 1/6/24, 9:06 PM
So not asking rhetorically, if we had all the insight and knowledge we have now, how would you make it different?
by jasonjmcghee on 1/7/24, 5:39 PM
> It was removed, but then reemerged under a different scope with over 33,000 sub-packages. It's like playing whack-a-mole with npm packages!
> This whole saga is more than just a digital prank. It highlights the ongoing challenges in package management within the npm ecosystem. For developers, it's a reminder of the cascading effects of dependencies and the importance of mindful package creation, maintenance, and consumption.
> As we navigate the open source world, incidents like the everything package remind us of the delicate balance between freedom and responsibility in open-source software.
by troupo on 1/6/24, 8:55 PM
"accidentally broke NPM and all I got was this sweet permanent banner all over my Github (thats impossible to remove since they probably had to code it up last minute before removing the org/repo)"
by ruune on 1/6/24, 9:19 PM
by navtoj on 1/6/24, 8:47 PM
by dang on 1/6/24, 11:02 PM
'everything' blocks devs from removing their own NPM packages - https://news.ycombinator.com/item?id=38873944 - Jan 2024 (102 comments)
by SquidJack on 1/7/24, 2:08 PM
by yreg on 1/7/24, 10:39 AM
Has no one thought of that? It seems like it should have been obvious that such an absolute rule could be easily abused to troll the system at scale.
Not sure if it's a problem though, perhaps all unpublishing requests should be reviewed by someone at the registry (and granted only when it makes sense).
by rubyissimo on 1/7/24, 10:32 AM
Is npm specifically vulnerable to this kind of thing? Or is it just a cultural elelemnt of npm that there are more micro-packages?
by ramesh31 on 1/7/24, 6:40 AM
by frabjoused on 1/6/24, 9:27 PM
by happens on 1/7/24, 12:06 PM
by francisduvivier on 1/7/24, 9:25 AM
"Just install the everything package, then you will be sure to have the right package"
by leros on 1/7/24, 6:08 PM
by Affric on 1/6/24, 9:01 PM
> First, just want to apologize about any difficulties this package has caused.
No rationale. No shame. Just the word “apologize” in a sentence.
Who downloaded it though? Surely as a dev if you download such a package it’s on you?