Over the vacations, the npm package deal registry was flooded with greater than 3,000 packages, together with one referred to as “the whole lot,” and others named a variation of the phrase.
The package deal is sort of aptly named as downloading “the whole lot” will step by step pull in each single npm package deal that is ever been printed to the npmjs.com registry onto your laptop, doubtlessly making it run out of storage. However, that is simply the tip of the iceberg.
For those who’re asking, “However who would set up ‘the whole lot’?”—that ignores a much bigger side-effect of the package deal.
Since these 3,000+ packages handle to embrace each single npm package deal on the npmjs.com registry as their dependency, npm package deal authors who’ve ever printed to the npm registry would now be unable to take away their packages at will, due to npm’s coverage.
the whole lot prevents you from unpublishing your packages
What might have began as a easy prank, ended up having larger repercussions for all authors throughout the npm ecosystem.
Putting in the whole lot may have simply triggered your laptop to doubtlessly fall wanting cupboard space and decelerate, however the package deal’s mere existence on npmjs.com prevents authors—unrelated to this package deal by any means, from unpublishing their packages from the world’s largest JavaScript software program registry.
The “the whole lot” package deal has simply 5 sub-packages, printed beneath the “@everything-registry” scope, listed as its dependencies, BleepingComputer has noticed.
(BleepingComputer)
These 5 packages, nevertheless, step by step handle to tug in each single package deal current on your entire registry as a dependency. For instance, “the whole lot” pulls in “@everything-registry/chunk-2,” which can additional try to tug in a number of different packages by the identical creator, reminiscent of “@everything-registry/sub-chunk-1623.”
Every of those sub-packages (or “chunks” because the creator calls them), in the end contains about 800 npm tasks as their dependency.
Contemplating the creator of “the whole lot” has printed 3,000 plus such packages (chunks), every with tons of of dependencies, a single `npm set up the whole lot` command will begin resolving, what’s known as transitive dependencies, and find yourself downloading tens of millions of packages.
gdi2290 aka PatrickJS who’s behind this prank apologized for “any difficulties this package deal has triggered,” and contacted npm admins to treatment the problem.
A preserved snapshot of the now-removed GitHub dialogue is supplied under:
“Think about you probably did an experiment, printed a package deal to NPM and now you wish to take away your NPM package deal. You may’t do it if different packages are utilizing it,” writes Jossef Harush, Head of Software program Provide Chain Safety at Checkmarx on the corporate’s weblog.
Harush, who labeled this marketing campaign, “dependency hell,” additional states, “The issue is, since ‘the whole lot’ depends on each package deal (together with yours), your package deal will get caught, and there is some unknown package deal stopping you from eradicating it.”
The researcher drew comparisons between “the whole lot” and the “no-one-left-behind” package deal printed in January 2023 that tried to tug off a lot the identical stunt.
npm coverage shift follows left-pad incident
Not like some open-source software program registries like Maven Central, that are immutable and usually forestall authors from eradicating their printed elements, npm and PyPI have historically allowed builders to delete, or “yank” their releases at will.
Following a 2016 incident although, that entailed left-pad’s creator eradicating his npm package deal in protest, and breaking a big a part of the web, npm made it harder for authors to unpublish packages.
One such coverage change concerned permitting authors to unpublish packages provided that no different package deal on the npm registry relies on it.
Mockingly, this coverage has additionally left PatrickJS, the creator of “the whole lot,” unable to simply take away his prank packages, given the extensively lengthy dependency chain he has setup.
BleepingComputer noticed, as of this morning, whereas “the whole lot” continues to dwell on the registry, the 1000’s of “@everything-registry” scoped packages utilized by it have now been made non-public, doubtlessly resolving the problem.
