Hacker News new | past | comments | ask | show | jobs | submit login
Empty NPM package '-' has over 700k downloads (bleepingcomputer.com)
61 points by clubdorothe 74 days ago | hide | past | favorite | 25 comments

> Developers should exercise caution when typing npm commands in the terminal when especially when using flags.

The double ”when” is quite funny here, given the nature of npm problem described in the article.

And removing it will probably break half the internet. NPM is a nutshell.

It's impossible to unpublish packages now.

I agree with the general sentiment, but if you do want to unpublish there is a policy available [0]

Key points being either:

- published within 72 hours and without any dependents

- no dependents, < 300/week downloads, single owner

Of course even with all that said there was also precedent for having it removed if you emailed them directly and it was up to their discretion (I believe this was prior to their acquisition so not sure if that still applies).

0: https://docs.npmjs.com/policies/unpublish

Technically. But the above is specifically designed to prevent someone from unpublishing a package that could "break half the internet", which is what the original poster was waxing on about.

Well, - has 56 dependents, so that ship has sailed.

Hopefully an npm alternative will come out, because npm and the entire node_modules & package.json resolution strategy is a joke.

Where there's user input there's cybersquatting.

Having a global namespace for packages was a bad idea. (same with ruby and python).

PHP gets it right: https://packagist.org/explore/

A simple logic of NOT “-“ would have blocked any reintroduction/upgrade of unintended “-“ package, coupled with a inertiazed package replacing the accidentally-introduced “-“ package.

Yeah, those who depend on the original but accidental “-“ package for its functionally should suffer any consequential breakage that may have resulted from it.


So why would anyone make a package like that?

In the article they hypothesize that the creation of the package may have been a typo or another form of accident.

Since the content suggests it was generated by a script, there may have been an error in the input to the script or in the script itself.

Maybe, but the project does have an open issue created and edited multiple times by the developer


This is normal troll stuff, I would guess. It's like claiming website URLs from known mistypers or something. Someone thinks it's funny.

And it is version 0.0.1 - how will it look when it reaches version 1.0.0?

What even does this package do? I can't understand how to get to the source and the readme is vague.

Usually I just check the github since most NPM modules link directly to it but the only thing I find find linked is this: https://npm.runkit.com/-/dist/index.js?t=1627966991920

The index file is:

    "use strict";
    Object.defineProperty(exports, "__esModule", { value: true });
    exports.default = null;
The readme mentions that it's a test of this: https://github.com/parzh/create-package-typescript

> Recklessly create TypeScript npm packages left and right with this single command

I think this is the project.


Oh my god. Why does this exist?

> A mysterious, one-letter npm package named "-" sitting on the registry since 2020 has received over 700,000 downloads.

...then a few lines further down the article:

> An npm package called "-" has scored almost 720,000 downloads since its publication on the npm registry, since early 2020.

Kinda frustrating that the same information is being written twice imo... And then two ads in a row follow that

What would happen if a newer version gets released sometime with some added malware functionality?

Mistyped, incorrect, and copypasted shell commands which are incorrectly using the minus character.

Also 56 dependents

can a newer version be used to introduce malicious code for those downloading or the dependents?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact