Many packages suddenly disappeared

[antoniobrandao]

https://www.npmjs.com/package/infinity-agent https://www.npmjs.com/package/timed-out https://www.npmjs.com/package/pinkie-promise

All dependencies of webpack-related modules

[JAertgeerts]

https://www.npmjs.com/package/require-from-string

[girishla]

massive issue for us because of this. Please resolve asap

[girishla]

I've tweeted npm support and also emailed them. Hope someone sees this soon

[allquantor]

https://github.com/npm/npm/issues/19534

[jamesplease]

I believe this issue affects packages with versions before 2018 as well as versions after 2018.

Versions before 2018 cannot be installed, while versions after 2018 can be. For instance,

require-from-string@2.0.0 is unavailable, while require-from-string@2.0.2 is available. The difference between them is their publish year. Note that 2.0.2 was just published, which kicked off this series of problems.

---

Update: This theory appears to be wrong. See @BlackHole1 's comment below :)

Instead, this appears to be because floatdrop's packages have disappeared.

• Cached float drop account page
• Current float drop account page

[BlackHole1]

@jmeas Not so, because someone registered the package

[antoniobrandao]

They come and go.

Just today I've seen the package "infinity-agent" missing, then it came back, disappeared again, and came back again.

Very flimsy behaviour from NPM.

[jamesplease]

Ah, I see @BlackHole1 . That makes sense.

If that's the case, then this is a big security issue if someone hijacks a critical project and replaces it with some malicious code.

[teawithfruit]

@jmeas And I thought that this was only a "problem" between 1999 and 2000. ;)

[robbiethegeek]

@jmeas https://www.npmjs.com/package/require-from-string doesn't exist at the moment is that the page for your module?

[antoniobrandao]

I just HOPE during this time it is not possible to actually create a new package with the same name as these missing ones. So many projects would have their dependencies broken.

[girishla]

there should be a mirror for isssues like this

[mbensch]

@antoniobrandao It is possible. I have re-published some of the packages that were missing with the code that was available on git-hub. The original author has deleted his NPM account and dropped all his packages. But it seems like NPM keeps dropping packages. No idea why.

[antoniobrandao]

@mbensch OMG 😨😨😨😨

[lafama]

This one package https://www.npmjs.com/package/duplexer3 was unavailable for close to 30 mins. Now it back but interesting thing is that it appears its was published 5 mins ago

jekh published 19 minutes ago

[antoniobrandao]

So much for NPM reliability.

[paulwib]

Looks to me all these packages were originally published by @floatdrop, see google cache. Anyone seen any other users affected?

@mbensch looks like his account still exists just all packages gone.

[marco476]

Same problem for require-from-string package that don't allow me to use create-react-app.

[ghost]

@marco476 same here, can't even install create-react-app

[LitoMore]

All the packages by this user https://www.npmjs.com/~floatdrop are missing.

[Amurmurmur]

Same problem here, cant even upgrade my current project with webpack 👎

[Lian1230]

What happened to floatdrop? being hacked?

[gino]

Same problem here, trying to run npm install. Returns:

npm ERR! code ENOVERSIONS
npm ERR! No valid versions available for timed-out

[LittleWhiteYA]

node 9.3.0 npm 5.6.0

npm ERR! code ENOVERSIONS
npm ERR! No valid versions available for duplexer3 

[mbensch]

@paulwib I checked earlier and his account was gone. I guess he's actively trying to delete it all because after I re-upped pinkie-promise I added him as contributor and it was unpublished shortly after.

[randinterval]

Left pad all over again.

[LitoMore]

Today is NPM's doomsday?

[Cassianosch]

better than a week day

[mschnee]

Yeoman is also affected.

[teawithfruit]

https://twitter.com/npmstatus/status/949728719450460161

[fernandes]

this is an ongoing incident. the team is working on it. sorry to all https://status.npmjs.org/incidents/41zfb8qpvrdj

source: https://github.com/npm/npm/issues/19534#issuecomment-355770947

[girishla]

why do I feel like the world is ending! It's just a bloody registry

[antoniobrandao]

@mbensch one removing their own packages is impossible if they are more than 24 hours old.

https://docs.npmjs.com/cli/unpublish

Quote:

With the default registry (registry.npmjs.org), unpublish is only allowed with versions published in the last 24 hours. If you are trying to unpublish a version published longer ago than that, contact support@npmjs.com.

So these packages we are talking about, would need NPM staff's intervention to be removed.

[antoniobrandao]

Update from NPM staff

[cormacrelf]

Well, just before that status page with the advisory about not doing exactly this, I semver-bumped floatdrop's vinyl-git to 1.0.0. This should be treated as a security breach (if I'd only bumped to 0.0.9, any real users running npm install with the default semver range would potentially be caught). I'd prefer if NPM wiped all of them and accepted a bit of downtime on floatdrop's legacy until they can control the influx of hijackings.

Edit: unpublished.

[ghost]

lmao, this is the new generation of programmers, this is our future

[benatkin]

this seems to be the root cause of this issue https://github.com/zeit/next.js/issues/3542

[mapinis]

Of course this happens right as I try to start a new project

[ghost]

@mapinis at least You hadn't installed fresh version of windows, as I did....

[jaaaco]

"please do not attempt to republish packages" .... I tried exactly that from my fork ... sorry npm team!

[Darkensses]

Pray for NPM :c

[mapinis]

@piotrSatlawa I guess I'm lucky then

[lazarljubenovic]

Guys, chill down. The team is obviously working on it now that they've posted on https://status.npmjs.org/.

At least we can left-pad our strings this time :tada:

[mcquiggd]

Keep calm, and have a beer.

[reinaldo-rda]

npm ERR! code ENOVERSIONS npm ERR! No valid versions available for timed-out

[rnataoliveira]

Just when I was going to start a project ...

[mbensch]

It's Saturday. I'm gonna go get a Margarita and wait what happens 🍸

[antoniobrandao]

@jbirer true... this is what you get when your team becomes a bunch of hipster SJWs

[racbart]

Please be cautious because duplexer3 was republished by a fresh npm user, not the original maintainer, so it's probably a package takeover.

They published another four versions since then, so it's possible they've initially republished unchanged package, but now are messing with the code. Previously the package belonged to someone else: https://webcache.googleusercontent.com/search?q=cache:oDbrgPbT5m0J:https://www.npmjs.com/package/duplexer3

I'm not saying it's a malicious attempt, but it might be and it very much looks like. Be cautious as you might don't notice if some packages your code is dependent on were republished with a malicious code. It might take some time for NPM to sort this out and restore original packages.

[Kimeiga]

I do love npm in concept but after reading about left-pad, there are two things that I get worried about:

1. people can unpublish their packages whenever they please (and i suppose they have every right to)
2. npm sorta has ownership of the packages you publish and if there is legal trouble they take packages away from you

are these just faults of the system, or is there a way to structure a package manager in such a way as to fix these problems?