Closed antoniobrandao closed 6 years ago
massive issue for us because of this. Please resolve asap
I've tweeted npm support and also emailed them. Hope someone sees this soon
I believe this issue affects packages with versions before 2018 as well as versions after 2018.
Versions before 2018 cannot be installed, while versions after 2018 can be. For instance,
require-from-string@2.0.0
is unavailable, while require-from-string@2.0.2
is available. The difference between them is their publish year. Note that 2.0.2 was just published, which kicked off this series of problems.
Update: This theory appears to be wrong. See @BlackHole1 's comment below :)
Instead, this appears to be because floatdrop's packages have disappeared.
@jmeas Not so, because someone registered the package
They come and go.
Just today I've seen the package "infinity-agent" missing, then it came back, disappeared again, and came back again.
Very flimsy behaviour from NPM.
Ah, I see @BlackHole1 . That makes sense.
If that's the case, then this is a big security issue if someone hijacks a critical project and replaces it with some malicious code.
@jmeas And I thought that this was only a "problem" between 1999 and 2000. ;)
@jmeas https://www.npmjs.com/package/require-from-string doesn't exist at the moment is that the page for your module?
I just HOPE during this time it is not possible to actually create a new package with the same name as these missing ones. So many projects would have their dependencies broken.
there should be a mirror for isssues like this
@antoniobrandao It is possible. I have re-published some of the packages that were missing with the code that was available on git-hub. The original author has deleted his NPM account and dropped all his packages. But it seems like NPM keeps dropping packages. No idea why.
@mbensch OMG 😨😨😨😨
This one package https://www.npmjs.com/package/duplexer3 was unavailable for close to 30 mins. Now it back but interesting thing is that it appears its was published 5 mins ago
jekh published 19 minutes ago
So much for NPM reliability.
Looks to me all these packages were originally published by @floatdrop, see google cache. Anyone seen any other users affected?
@mbensch looks like his account still exists just all packages gone.
Same problem for require-from-string
package that don't allow me to use create-react-app
.
@marco476 same here, can't even install create-react-app
All the packages by this user https://www.npmjs.com/~floatdrop are missing.
Same problem here, cant even upgrade my current project with webpack 👎
What happened to floatdrop? being hacked?
Same problem here, trying to run npm install
. Returns:
npm ERR! code ENOVERSIONS
npm ERR! No valid versions available for timed-out
node 9.3.0 npm 5.6.0
npm ERR! code ENOVERSIONS
npm ERR! No valid versions available for duplexer3
@paulwib I checked earlier and his account was gone. I guess he's actively trying to delete it all because after I re-upped pinkie-promise I added him as contributor and it was unpublished shortly after.
Left pad all over again.
Today is NPM's doomsday?
better than a week day
Yeoman is also affected.
this is an ongoing incident. the team is working on it. sorry to all https://status.npmjs.org/incidents/41zfb8qpvrdj
source: https://github.com/npm/npm/issues/19534#issuecomment-355770947
why do I feel like the world is ending! It's just a bloody registry
@mbensch one removing their own packages is impossible if they are more than 24 hours old.
https://docs.npmjs.com/cli/unpublish
Quote:
With the default registry (registry.npmjs.org), unpublish is only allowed with versions published in the last 24 hours. If you are trying to unpublish a version published longer ago than that, contact support@npmjs.com.
So these packages we are talking about, would need NPM staff's intervention to be removed.
Update from NPM staff
Well, just before that status page with the advisory about not doing exactly this, I semver-bumped floatdrop's vinyl-git to 1.0.0. This should be treated as a security breach (if I'd only bumped to 0.0.9, any real users running npm install with the default semver range would potentially be caught). I'd prefer if NPM wiped all of them and accepted a bit of downtime on floatdrop's legacy until they can control the influx of hijackings.
Edit: unpublished.
lmao, this is the new generation of programmers, this is our future
this seems to be the root cause of this issue https://github.com/zeit/next.js/issues/3542
Of course this happens right as I try to start a new project
@mapinis at least You hadn't installed fresh version of windows, as I did....
"please do not attempt to republish packages" .... I tried exactly that from my fork ... sorry npm team!
Pray for NPM :c
@piotrSatlawa I guess I'm lucky then
Guys, chill down. The team is obviously working on it now that they've posted on https://status.npmjs.org/.
At least we can left-pad our strings this time :tada:
Keep calm, and have a beer.
npm ERR! code ENOVERSIONS npm ERR! No valid versions available for timed-out
Just when I was going to start a project ...
It's Saturday. I'm gonna go get a Margarita and wait what happens 🍸
@jbirer true... this is what you get when your team becomes a bunch of hipster SJWs
Please be cautious because duplexer3 was republished by a fresh npm user, not the original maintainer, so it's probably a package takeover.
They published another four versions since then, so it's possible they've initially republished unchanged package, but now are messing with the code. Previously the package belonged to someone else: https://webcache.googleusercontent.com/search?q=cache:oDbrgPbT5m0J:https://www.npmjs.com/package/duplexer3
I'm not saying it's a malicious attempt, but it might be and it very much looks like. Be cautious as you might don't notice if some packages your code is dependent on were republished with a malicious code. It might take some time for NPM to sort this out and restore original packages.
I do love npm in concept but after reading about left-pad, there are two things that I get worried about:
are these just faults of the system, or is there a way to structure a package manager in such a way as to fix these problems?
https://www.npmjs.com/package/infinity-agent https://www.npmjs.com/package/timed-out https://www.npmjs.com/package/pinkie-promise
All dependencies of webpack-related modules