采取了哪些措施来防止类似左垫事件的再次发生?
What measures have been taken to prevent something like the left-pad incident happening again?
2016 年,left-pad 包的维护者从 NPM 取消了它的发布,导致数以百万计的构建在 NPM 介入之前被破坏,并在可能出现太多混乱之前自行取消发布包
https://www.theregister.com/2016/03/23/npm_left_pad_chaos/
针对未来发生的此类事件,采取了哪些预防措施? node_modules 文件的本地管理、捆绑等方式有什么变化吗? NPM 是否改变了他们关于开源如何运作的政策?是否有任何预期的努力来摆脱或修改开源开发的工作方式来处理此类问题?
编辑:我一直在寻找开放式讨论,但我想 Whosebug 不适合做那个,所以相应地修改了我的问题。
npm 使取消发布包变得更加困难
事件的发生是因为 left-pad 的维护者能够取消发布包,尽管社区依赖它。
事件发生后不久(2016 年 3 月 23 日),npm 发布了一份 post-mortem 其中包括他们的解决计划:
We will make it harder to un-publish a version of a package if doing so would break other packages.
npm 很快跟进 update(2016 年 3 月 29 日):
If the version is older than 24 hours, then the unpublish will fail, with a message to contact support@npmjs.com.
npm 宣布了一个更重要的 update recently (January 2020), which is their currently effective unpublish policy:
Packages published less than 72 hours ago
For newly created packages,
as long as no other packages in the npm Public Registry depend on your
package, you can unpublish anytime within the first 72 hours after
publishing.
Packages published more than 72 hours ago
Regardless of how long ago a
package was published, you can unpublish a package that:
- no other packages in the npm Public Registry depend on
- had less than
300 downloads over the last week
- has a single owner/maintainer
这意味着许多其他包所依赖的包,例如 left-pad,实际上无法取消发布。
npm 阻止发布到一个废弃的包名称
另一个问题是,以前有人可能将恶意包发布到一个废弃的包名称(幸运的是,在 left-pad 的情况下没有发生)。 npm 将此作为其初始 post-mortem:
的一部分进行了纠正
If a package with known dependents is completely unpublished, we’ll
replace that package with a placeholder package that prevents
immediate adoption of that name. It will still be possible to get the
name of an abandoned package by contacting npm support.
2016 年,left-pad 包的维护者从 NPM 取消了它的发布,导致数以百万计的构建在 NPM 介入之前被破坏,并在可能出现太多混乱之前自行取消发布包
https://www.theregister.com/2016/03/23/npm_left_pad_chaos/
针对未来发生的此类事件,采取了哪些预防措施? node_modules 文件的本地管理、捆绑等方式有什么变化吗? NPM 是否改变了他们关于开源如何运作的政策?是否有任何预期的努力来摆脱或修改开源开发的工作方式来处理此类问题?
编辑:我一直在寻找开放式讨论,但我想 Whosebug 不适合做那个,所以相应地修改了我的问题。
npm 使取消发布包变得更加困难
事件的发生是因为 left-pad 的维护者能够取消发布包,尽管社区依赖它。
事件发生后不久(2016 年 3 月 23 日),npm 发布了一份 post-mortem 其中包括他们的解决计划:
We will make it harder to un-publish a version of a package if doing so would break other packages.
npm 很快跟进 update(2016 年 3 月 29 日):
If the version is older than 24 hours, then the unpublish will fail, with a message to contact support@npmjs.com.
npm 宣布了一个更重要的 update recently (January 2020), which is their currently effective unpublish policy:
Packages published less than 72 hours ago
For newly created packages, as long as no other packages in the npm Public Registry depend on your package, you can unpublish anytime within the first 72 hours after publishing.
Packages published more than 72 hours ago
Regardless of how long ago a package was published, you can unpublish a package that:
- no other packages in the npm Public Registry depend on
- had less than 300 downloads over the last week
- has a single owner/maintainer
这意味着许多其他包所依赖的包,例如 left-pad,实际上无法取消发布。
npm 阻止发布到一个废弃的包名称
另一个问题是,以前有人可能将恶意包发布到一个废弃的包名称(幸运的是,在 left-pad 的情况下没有发生)。 npm 将此作为其初始 post-mortem:
If a package with known dependents is completely unpublished, we’ll replace that package with a placeholder package that prevents immediate adoption of that name. It will still be possible to get the name of an abandoned package by contacting npm support.