When "Everything" Becomes Too Much: The npm Package Chaos of 2024

Happy 2024, folks! Just when we thought we'd seen it all, an npm user named PatrickJS, aka gdi2290, threw us a curveball. He (along with a group of contributors) kicked off the year with a bang, launching a troll campaign that uploaded an npm package aptly named everything. This package, true to its name, depends on every other public npm package, creating millions of transitive dependencies.

The Chaos Unleashed

The everything package and its 3,000+ sub-packages have caused a Denial of Service (DOS) for anyone who installs it. We're talking about storage space running out and system resource exhaustion.

But that's not all. The creator took their prank to the next level by setting up http://everything.npm.lol, showcasing the chaos they unleashed. They even included a meme from Skyrim, adding some humor (or mockery, depending on your perspective) to the situation.

everything's package.json file

{
  "name": "everything",
  "version": "3.0.0",
  "description": "npm install everything",
  "main": "index.js",
  "contributors": [
    "PatrickJS <github@patrickjs.com>",
    "uncenter <hi@uncenter.dev>",
    "ChatGPT <chatgpt@openai.com>",
    "trash <trash@trash.dev>",
    "Hacksore <sean@boult.me>"
  ],
  "scripts": {},
  "keywords": [
    "everything",
    "allthethings",
    "everymodule"
  ],
  "license": "MIT",
  "homepage": "https://github.com/everything-registry/everything",
  "repository": {
    "type": "git",
    "url": "git+https://github.com/everything-registry/everything.git"
  },
  "dependencies": {
    "@everything-registry/chunk-0": "0.1.0",
    "@everything-registry/chunk-1": "0.1.0",
    "@everything-registry/chunk-2": "0.1.0",
    "@everything-registry/chunk-3": "0.1.0",
    "@everything-registry/chunk-4": "0.1.0"
  }
}

Echoes of the Past

This isn't the first time we've seen such a stunt. Last year, the no-one-left-behind package by Zalastax attempted something similar. It was removed, but then reemerged under a different scope with over 33,000 sub-packages. It's like playing whack-a-mole with npm packages!

It’s also reminiscent of a package called “hoarders” that used to directly depend on every module on npm (approximately 20,000 in 2012). It was published by software engineer Josh Holbrook, created to be “node.js's most complete utility grab bag.”

In an effort to maintain a secure and reliable ecosystem for JavaScript developers, hoarders was effectively “cancelled” by Isaac Schlueter (creator of the npm package manager) after a year, due to the strain it caused on the registry's database.

Unintended Consequences

The "everything" package, with its 5 sub-packages and thousands of dependencies, has essentially locked down the ability for authors to unpublish their packages. This situation is due to npm's policy shift following the infamous "left-pad" incident in 2016, where a popular package left-pad was removed, grinding development to a halt across much of the developer world. In response, npm tightened its rules around unpublishing, specifically preventing the unpublishing of any package that is used by another package.

Ironically, this policy trapped PatrickJS in his own web. Upon realizing the impact of his prank, he attempted to remove the everything package but was unable to do so. He reached out to the npm support team for help, but the damage was done.

PatrickJS wrote this apology on GitHub in a since-removed GitHub issue:

Hi all! First, just want to apologize about any difficulties this package has caused. We are working to resolve the issues and we have contacted NPM regarding support with this matter (see below). We appreciate your patience.

The major issue here is that when a package depends on another package at a specific version, that version cannot be unpublished. We've since realized there is an issue with "star" versions - a.k.a depending on any/all versions of another package ( "package-xyz": "*" ) - any version of that package is now unable to unpublish. As I previously mentioned, we've reached out to npm and are hoping they can either A) allow folks to unpublish when the packages that depend on them use a "star" version, B) not permit star versions in published packages going forward, or as a last resort, C) remove our npm organization entirely (and remove all of the packages that are blocking unpublishing). As far as we can tell, there is simply nothing we can do on our own - we can't unpublish the packages ourselves (because other packages depend on them) and publishing a new version over them doesn't change anything.

However, we now see that while everything remains on the registry, the @everything-registry scoped packages have been made private, potentially offering a resolution.

The Ripple Effect

This whole saga is more than just a digital prank. It highlights the ongoing challenges in package management within the npm ecosystem. For developers, it's a reminder of the cascading effects of dependencies and the importance of mindful package creation, maintenance, and consumption.

As we navigate the open source world, incidents like the everything package remind us of the delicate balance between freedom and responsibility in open-source software.

Install Socket for GitHub to stay secure this year, and let's see what the rest of 2024 has in store for us!

h/t Ax Sharma