Our great sponsors
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
You don't get to have it both ways.
If you go by the spirit of things tanking a package and Github/MS taking over to undo that are fair game.
If you want to go by the letter and what legal rights someone has:
https://docs.npmjs.com/policies/conduct
> The Service administrators reserve the right to make judgment calls about what is and isn't appropriate in published packages, package names, user and organization names, and other public content. Package that violates the npm Service's Acceptable Use rules including its Acceptable Content rules will be deleted, at the discretion of npm.
https://docs.npmjs.com/policies/open-source-terms
> Your Content belongs to you. You decide whether and how to license it. But at a minimum, you license npm to provide Your Content to users of npm Services when you share Your Content. That special license allows npm to copy, publish, and analyze Your Content, and to share its analyses with others. npm may run computer code in Your Content to analyze it, but npm's special license alone does not give npm the right to run code for its functionality in npm products or services.
> When Your Content is removed from npm Services, whether by you or npm, npm's special license ends when the last copy disappears from npm's backups, caches, and other systems. *Other licenses, such as open source licenses, may continue after Your Content is removed. Those licenses may give others, or npm itself, the right to share Your Content with npm Services again.*
https://github.com/Marak/colors.js/blob/master/LICENSE
Seriosuly, why are people so adamant about defending this? We're all part of a giant ecosystem that relies on everyone being "a freeloading dick" in your eyes. Colors wouldn't have it's audience without it's creator being a "freeloading dick" and expecting NPM to serve it millions of times for free. NPM relies on a JS ecosystem propped up by "freeloading dicks".
"Freeloading dick" is such a dumb characterization of what it really is: Expecting FOSS creators and maintainers to be somewhat cognizant of the ecosystem past the tip of their nose.
You meant CDK (aws-cli is written in Python) but it’s not that simple: they shipped a lock file which pinned 1.4.0 but while NPM honors that the popular yarn package manager does not:
https://github.com/aws/aws-cdk/issues/18322#issuecomment-100...
This floating behavior allowed for it to be overridden locally:
https://github.com/aws/aws-cdk/issues/18322#issuecomment-100...
Checking in your dependencies with https://github.com/JamieMason/shrinkpack can help insulate you from these problems until you're ready to face them. I created this before left-pad and thankfully meant that we were unaffected.
A lot of developers, understandably, baulk at checking in dependencies, but there is a concrete benefit in being able to continue uninterrupted during outages.
There is a TC39 proposal for a "Javascript Standard Library." It's at stage 1, which is better than stage 0.
https://github.com/tc39/proposal-built-in-modules
They supposedly took over the npm packages[0,1], not the github.com repos. npm is a system where you push archives as package versions, it doesn't do its own pull from a github repo or otherwise.
0: https://www.npmjs.com/package/colors
1: https://www.npmjs.com/package/faker
iirc the biggest issue with `npm ci` before was that it cleared node_modules, which used to be the primary way of caching deps in CI builds, but now most suggest caching ~/.npm[0].
0: https://github.com/actions/cache/blob/main/examples.md#node-...
Whole npm ecosystem is so fragile.
Remember event-stream[1]? Did we learned something from that? Yes, we might. So was it improved? Never. People are still installing 'new' colors package and wondering why its texts are broken.
What if he uploaded malicious code rather than just just gibberish?
[1]: https://github.com/dominictarr/event-stream/issues/116