console-feed appears to have disappeared from the npm registry

[Rheeseyb]

https://www.npmjs.com/package/console-feed is now returning a 404. This appears to have happened within the last hour, and https://status.npmjs.org/ isn't reflecting any issues on their side

[nicksrandall]

I may publish up a clone to my namespace until this issue can be resolved.

[Rheeseyb]

I contacted npm support and was told that it was unpublished:

GitHub (GitHub Support) Jun 29, 2023, 3:26 PM UTC

Hi,

Thanks for contacting npm Support!

console-feed was unpublished earlier today at 2023-06-29T14:06:00.72.

We've initiated a republishing block to protect a package's name space after a full unpublish. Meaning, that after a package has been unpublished, a new package typically won't be able to be published to that name for 24 hours.

Unfortunately, there is no way to re-use a version of a package in the npm registry, even if it's been unpublished. The reason for this is that various systems rely on "name@version" being a unique identifier, and start throwing security warnings if the shasum changes.

This also closes a very significant potential security vulnerability if any part of the registry infrastructure is ever compromised, without asking humans to keep track of opaque shasums themselves.

For this reason, we recommend publishing a new version even the most trivial updates.

Thank you so much.

Jude GitHub Support Supporting the npm registry

As you can see no reason was given, so at this stage we have no clue if this was deliberate, accidental, or perhaps even a compromised account. In the mean time we have opted to fork the package, build and commit the /lib folder for the version we were using, and then updated our npm dependency to point to that GitHub repo whilst we wait to see if anything changes here.

[nicksrandall]

I do not plan to do any maintenance on this repo but I have published an exact clone of version 3.5.0 to @nicksrandall/console-feed

[aurimasmi]

I got in touch with owner of library today and seems like account was compromised, but he's sorting this out.. So hopefully it will be republished within 24h.

[samdenty]

Yeah somehow there is a newly created access token that I presume revoked the package. The strange thing is I have 2fa on my account and use a randomised password, so I’ve no clue how this happened. I’ve changed the password and 2fa to be safe, but would like to know for certain who did this. I contacted npm support and they said I would need to file legal proceedings to get the IP addresses. I’ve scanned my MacBook for malware and haven’t found anything cause I’m very cautious

[samdenty]

I will try to republish within 24hrs

[theshadow27]

Just checking, in here, it seems to be 25 hours since 2023-06-29T14:06:00.72 (in the message above) - any luck on the republish attempt?

[samdenty]

nope no luck yet i've just sent a message to NPM saying it's not letting me republish so that might take until the end of monday.

[samengstrom]

Any luck yet?

[samdenty]

no luck yet, I've tried email NPM support to no avail. I've tweeted something, hoping it can reach someone on the NPM team to escalate and restore all my packages

retweets would be appreciated, and pinging anyone at NPM support if you know them:

https://twitter.com/samddenty/status/1675871527676305408?s=46&t=BHioRA7yXyP06sjXuJYPRA

[LivioGama]

@nicksrandall/console-feed

I will use this meantime, thanks!

[gaweki]

Any luck yet @samdenty ?

[liorsbg]

Is this legit? https://www.npmjs.com/package/console-feed-optimized

[Rheeseyb]

Hey, has there been any update from npm support about this?

[samdenty]

nope i've emailed them about 4 times for updates and it's still taking forever. I'm really sorry about this. I discovered that it's not possible to unpublish a package with dependents so I now don't think my account was compromised, and instead this is all NPM's fault. I'm not impressed with how long it's taking. I'll email them again with this thread

[Rheeseyb]

It's back! https://www.npmjs.com/package/console-feed

I don't know what you did @samdenty but it worked, and all previously published versions are available again ❤️

[samdenty]

Awesome! glad this could be solved even though it took so long 😅 still would like to know what happened, will post an update here when npm support emails back

i'll leave this issue open for visibility for another week then close