
“fs” unpublished and restored - okket
http://status.npmjs.org/incidents/dw8cr1lwxkcr
======
niftich
> _something like 1000 packages do mistakenly depend on "fs", probably because
> they were trying to use a built-in node module called "fs"_

These are some of the effects of a non-namespaced module/packaging ecosystem,
due to the contribution of Node.js and NPM in equal amounts.

This style of module naming has been exploited by the post 'Typosquatting
programming language package managers' [1][2], where they seeded python's
_pip_ with modules named after popular packages' misspelled names, but also
with some modules that are included in the standard library by default. Since
in many cases the commands were run with elevated permissions, 'arbitrary' (in
the creative definition of 'unwanted') code could have been executed -- in
fact it was, but only a "benign" HTTP postback.

[1]
[https://news.ycombinator.com/item?id=11862217](https://news.ycombinator.com/item?id=11862217)

[2] original seems to be down, archived at:
[http://archive.is/CZlNG](http://archive.is/CZlNG), or
[http://webcache.googleusercontent.com/search?q=cache:http://...](http://webcache.googleusercontent.com/search?q=cache:http://incolumitas.com/2016/06/08/typosquatting-
package-managers/)

------
rootlocus
First leftpad, now this: _More detail: the "fs" package is a non-functional
package. It simply logs the word "I am fs" and exits._

People sure like to spam npm with toy / useless / misleading packages that end
up breaking thousands of projects. What a mess.

------
Waterluvian
Points for communicating and being honest. But it still scares me a little
that a process like that can be so easily skipped.

------
lttlrck
Or replace it with something less odious and deprecate that.

