Hacker News new | past | comments | ask | show | jobs | submit login

The npm package ownership process is flawed. Anecdotally, I received an email from npm support saying someone requested publish rights to a package that I manage. The default was that the access would be granted if I did not respond within 30 days.

It's very possible this went through npm support, they received no reply within the window, and the transfer was granted.

There are good practices around domain names to lock transfer, perhaps npm should consider adopting similar mechanisms.

--edit-- for the curious, here is the redacted email chain. I don't want to call anyone out on this. These things are hard and handling edge cases are very difficult. I love npm, and host several packages there. I really appreciate everything they've done for node and javascript, and I think folks are harder on them than they should be due to some tricky decisions they've made. But I want things to improve for everyone, so consider this a disclosure for analysis on how things can get better. https://pastebin.com/636v8YSP

I've been on the other side of a similar conversation, that eventually got me the name I wanted after around 30 days. This was around five years ago, when there were still no scoped packages and the ecosystem was surging in popularity. I guess in the previous years people had been creating test packages and forgetting about them, and no doubt some were just squatting popular names. In my case the package with the name I wanted was empty and inactive, and there was a human check before it being handed over.

Yes I had guessed the policy is to prevent squatting. But it shouldn't apply to packages that actually have code sitting in them - anyone could have seen my package had a bunch of work gone into it, even if it hadn't been updated in a while. If it's a legit package, no matter how old it is, then the ownership should stick to the original author by default in perpetuity.

What a strange exchange. Why would npm assume that you actually want to add this random third party as a user? Could the package in question have appeared "dead" (i.e. no recent updates, not many weekly downloads)?

It wasn't dead, but I hadn't updated it in awhile and it wasn't the most popular thing in the world.

I once took over ownership of the then-quite-popular async-lock package. It had a bug and it really wasn't being maintained anymore. The process was actually quite beneficial to the community in that case. That being said, I think the owner didn't understand English very well so I'm not sure he would have understood the emails from NPM support had he read them.

Allowing automatic claiming of ownership by a third party is extremely dangerous to the ecosystem. This sounds like a vulnerability that could be used to publish malicious code to repos that people are using but that are no longer maintained (event-stream->flatmap-stream, anyone?).

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact