Packages with high download numbers that nobody wanted to install

Written by Stefan Judis
Published at
Updated at
Reading time
2min

Today's one of these days when I just ask myself why the entire web development ecosystem doesn't implode.

So what's up?

npm's rich ecosystem plays a substantial role in web development. There's a package for literally everything. And even though npm provides scoped packages these days (@stefanjudis/a-package), it's still common to release a package with a simple name.

npm is the wild wild west in this regard. Did you find a free package name? Great! Take it and do whatever you like with it.

But what's a valid package name in the first place?

Valid npm package names

Of course, npm provides an npm package to answer this question โ€“ validate-npm-package-name. Use it in your Node.js scripts to evaluate if a package name would be valid on the npm registry. The project repository also lists requirements of valid npm package names.

Let's look at a few of the listed requirements:

  • a package name shouldn't start with a . or _ (alright ๐Ÿ‘)
  • a package name shouldn't contain trailing or leading spaces or fancy characters such as ~)('!* (easy-peasy ๐Ÿ‘)
  • a package name's length should be greater than zero

Reread the last point... Single character package names are valid on npm.

Let's think this through. What happens if you accidentally hit the spacebar while typing the -g flag to install a package globally?

npm install - g foo

Jup, you guessed it right. Instead of installing one global package, you just installed three packages locally: -, g and foo. And - and g are indeed registered npm packages. ๐Ÿคฏ

Terminal showing the command "npm i - g foo" which accidentally installs the "-", "g" and "foo" package.

The - package has roughly 25k weekly downloads with 184 projects accidentally depending on it. That's beyond wild!

The package owner could easily release some malicious and nasty things, and would just have to wait for all the poor people to hit the wrong keys in their terminals.

Discoveries like these make me wonder how and why our web development ecosystem works? And why people aren't abusing it more often? ๐Ÿคทโ€โ™‚๏ธ

Read more about the infamous "-" package on bleepingcomputer.com if you want to learn more.

Was this post helpful?
Yes? Cool! You might want to check out Web Weekly for more WebDev shenanigans. The last edition went out 6 days ago.
Stefan standing in the park in front of a green background

About Stefan Judis

Frontend nerd with over ten years of experience, freelance dev, "Today I Learned" blogger, conference speaker, and Open Source maintainer.

Related Topics

Related Articles