Packages with high download numbers that nobody wanted to install
- Published at
- Updated at
- Reading time
Today's one of these days when I just ask myself why the entire web development ecosystem doesn't implode.
So what's up?
npm's rich ecosystem plays a substantial role in web development. There's a package for literally everything. And even though npm provides scoped packages these days (
@stefanjudis/a-package), it's still common to release a package with a simple name.
npm is the wild wild west in this regard. Did you find a free package name? Great! Take it and do whatever you like with it.
But what's a valid package name in the first place?
Of course, npm provides an npm package to answer this question –
validate-npm-package-name. Use it in your Node.js scripts to evaluate if a package name would be valid on the npm registry. The project repository also lists requirements of valid npm package names.
Let's look at a few of the listed requirements:
- a package name shouldn't start with a
- a package name shouldn't contain trailing or leading spaces or fancy characters such as
- a package name's length should be greater than zero
Reread the last point... Single character package names are valid on npm.
Let's think this through. What happens if you accidentally hit the spacebar while typing the
-g flag to install a package globally?
npm install - g foo
- package has roughly 25k weekly downloads with 184 projects accidentally depending on it. That's beyond wild!
The package owner could easily release some malicious and nasty things, and would just have to wait for all the poor people to hit the wrong keys in their terminals.
Discoveries like these make me wonder how and why our web development ecosystem works? And why people aren't abusing it more often? 🤷♂️
Read more about the infamous "-" package on bleepingcomputer.com if you want to learn more.