I've seen a lot of people criticise npm and their policies but I've never come across a solution. Npm has its flaws and while there are such abuses like everything package, is-odd, left-pad, etc there are also many useful packages like vue, sortable, etc without which development will be a huge pain.

So not asking rhetorically, if we had all the insight and knowledge we have now, how would you make it different?

I’m blown away by the reception of this article. It’s wildly low quality, generated SEO spam.

> It was removed, but then reemerged under a different scope with over 33,000 sub-packages. It's like playing whack-a-mole with npm packages!

> This whole saga is more than just a digital prank. It highlights the ongoing challenges in package management within the npm ecosystem. For developers, it's a reminder of the cascading effects of dependencies and the importance of mindful package creation, maintenance, and consumption.

> As we navigate the open source world, incidents like the everything package remind us of the delicate balance between freedom and responsibility in open-source software.

https://x.com/PatrickJS__/status/1743693931316191671

"accidentally broke NPM and all I got was this sweet permanent banner all over my Github (thats impossible to remove since they probably had to code it up last minute before removing the org/repo)"

Just as a side note about the screenshot at the end. I think it's from this socket thing, but the supply chain security of a package that depends on literally anything on npm having a score of almost 50 really makes me think if that score is just artificially inflated on every other package. Can you even reach a score below 47?

NPM still hasn't fixed the "*" package version bug on their end.

https://www.youtube.com/watch?v=IzqtWTMFv9Y&t=465

Recent and related:

'everything' blocks devs from removing their own NPM packages - https://news.ycombinator.com/item?id=38873944 - Jan 2024 (102 comments)

The article is totally misleading there is no storage space running out and system resource exhaustion. btw the total size is around 30MB or less than 50 The only thing is no one can unpublish the npm package because npm have policy if one package is depend on your package you can't unpublish it

> The "everything" package, with its 5 sub-packages and thousands of dependencies, has essentially locked down the ability for authors to unpublish their packages. This situation is due to npm's policy shift following the infamous "left-pad" incident in 2016, where a popular package left-pad was removed, grinding development to a halt across much of the developer world. In response, npm tightened its rules around unpublishing, specifically preventing the unpublishing of any package that is used by another package.

Has no one thought of that? It seems like it should have been obvious that such an absolute rule could be easily abused to troll the system at scale.

Not sure if it's a problem though, perhaps all unpublishing requests should be reviewed by someone at the registry (and granted only when it makes sense).

Does rubygems / go have "protections" against this?

Is npm specifically vulnerable to this kind of thing? Or is it just a cultural elelemnt of npm that there are more micro-packages?

As an NPM user since NPM existed, all I can do is shake my head and laugh at this point.

NPM as a soulless entity is easy to bash, while the creator of the package is a popular tech influencer so naturally has the support of the masses. If you’re going to complain about NPM, describe how you would solve it in their shoes.

Most articles say the page includes a Skyrim meme, but no one says what the meme is and I can't find anything relating to Skyrim on everything.npm.lol. This is very confusing to me.

Lol I can see trolls on reddit using this when people are asking for which npm npm package they should use.

"Just install the everything package, then you will be sure to have the right package"

I don't see this package labeled as a dependent on my packages. Must not have gotten everything.

What a dissatisfying non-apology of an apology.

> First, just want to apologize about any difficulties this package has caused.

No rationale. No shame. Just the word “apologize” in a sentence.

Who downloaded it though? Surely as a dev if you download such a package it’s on you?