神刀安全网

Npm package author revokes his packages, breaking tons of builds

March 23, 2016

Npm package author revokes his packages, breaking tons of builds

I just came across an interesting post via Hacker News , from an author of several hundred NPM packages (some of which quite popular) that just removed all of his packages from NPM.

Tons of other projects around the world depending on his packages broke as a result of this. The NPM project responded by un-un-publishing the packages:

Hey npm users: left-pad 0.0.3 was unpublished, breaking LOTS of builds. To fix, we are un-un-publishing it at the request of the new owner.

— Laurie Voss (@seldo) March 22, 2016

While you can say that the original author was not very nice to do this as a protest, and without warning, I think it highlights a larger underlying problems, in not just NPM but also other packaging systems:

  • We’re currently relying on the trustworthiness and ethics of many package authors.
  • Package repositories are a critical piece of our infrastructure.

Both are single points of failure for a lot of projects, except the few that actually commit their node_modules , vendor , etc directories to their github repository.

Another interesting thing is that package authors can not just un-publish their packages, they can even modify already-released packages.

I think this is a very weak link in our infrastructure. What we need is a packaging system that is:

  • Immutable / Append-only
  • Decentralized
  • Lots of redundancy, because anyone can run a mirror.

Append-only means that once you publish a package, it can never be changed or unpublished. It can’t be censored or taken down. This puts the control back in the hands of the user, and we’re no longer at the mercy of package developers or centralized repositories.

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Npm package author revokes his packages, breaking tons of builds

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮