January 4, 2024 at 04:56AM
The npm package registry was flooded with over 3,000 packages during the holidays, leading to the creation of the “everything” package. Installing “everything” results in the download of every npm package, causing storage and performance issues. Authors are unable to remove their packages due to its dependency chain, which has prompted a policy shift in the npm registry.
The meeting notes highlight a recent incident involving the npm package registry and an npm package called “everything.” This package caused significant disruptions within the npm ecosystem by making it impossible for authors to remove their packages from the registry. “Everything” and its related packages had extensive dependency chains, leading to the potential download of millions of packages. The author, gdi2290 (PatrickJS), has issued an apology for the difficulties caused and engaged with npm admins to address the issue. The npm policy change, following past incidents, now only allows authors to unpublish packages if no other package is dependent on them. This policy inadvertently affected the “everything” author, preventing the easy removal of the prank packages. Lastly, as of the latest observation, the related “@everything-registry” scoped packages have now been made private, potentially resolving the issue.