The circular dependency problem is kind of "90's interview question" easy (source: I was asked this in an interview in the 90's). What other comically obvious lessons remain to be painfully learned for npm folks?
The worst thing is that this already happened in January 2023. NPM again showing that only the brightest of the brightest are working on this ecosystem o7
As far as we know, NPM's solution was to flag the organization (making the links to the issues within the article useless) and to remove the packages without any policy change.
They won't learn anything from this, they'll blame the authors for "using NPM wrong" just like the dogpiling comments were on the everything repo before mass flagging by the same people booted it off GitHub.
We'll see if there is any real policy change. I hope there is, at the very least to avoid another instance of this mistake, but also to prevent genuine targeted abuse of this policy failure.
For now, NPM is slowly taking all the packages down, and GitHub has forcefully made the org private: https://imgur.com/a/WuSpBQi
> One user, Matt Lucock, lambasted the group for “reckless negligence” and for blaming NPM for the fallout of their project.
> “You have deluded yourselves into believing that the problem isn’t that you abused the registry, but that npm’s unpublish rules don’t hold up to someone abusing the registry in this way,” Lucock wrote, adding that the unpublish rules are necessary “protect the integrity of the registry.”
This person sounds like the kind that would feel satisfied when a low level scapegoat got lynched in a security breech aftermath while ignoring the high level management issue.
A couple other Matt quotes (all from a 2k word issue opened 9 hours ago):
> It's so nice to know that the group of bad actors—or the group of good actors who have been so stupid and negligent as to effectively be bad actors—who abused the registry and have recklessly caused problems for an untold number of people who were just minding their own business, "appreciate" our "patience" while they "resolve" the "issues"
> Part of me wishes you guys actually were just malicious. The fact that you're not, and instead did this purely out of stupidity, is somehow even more infuriating.
> do not care about you. I am here solely because you guys fucked up. It's one thing to fuck up privately, and another to fuck up publicly on a small scale, but fucking up publicly on a large scale, through nothing but sheer reckless negligence, trying to execute an idea that was obviously stupid to begin with, is a whole other thing. All of this is so shockingly, mortifyingly unprofessional. What the hell were you thinking?
I have no real problem with Matt, obviously this is a real issue and I have nothing but sympathy (especially for all those that calmly voiced that they were impacted by this), but to shoot all this at a high schooler and hobbyist is ridiculous. I expressed similar sentiments to what you said.
The fact that adding a book to the shelf of a library can somehow affect other books is such a weird design. They band-aided a fix for left-pad but shocker that had unintended consequences.
Of course they were behaving unprofessionally, they're literally high schoolers and they're not at work. This doesn't even rise to the level of an exploit, they broke NPM doing something that is totally normal.
I wonder what other pathological packages could be devised. Like, a package that only includes packages that are not included anywhere else. It could be called “barber”.
