logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

Cash-for-leftpad.md (4843B)

    

  1. ---
  2. title: I will pay you cash to delete your npm module
  3. date: 2021-11-16
  4. ---
  6. npm's culture presents a major problem for global software security. It's
  7. grossly irresponsible to let dependency trees grow to thousands of dependencies,
  8. from vendors you may have never heard of and likely have not critically
  9. evaluated, to solve trivial tasks which could have been done from scratch in
  10. mere seconds, or, if properly considered, might not even be needed in the first
  11. place.
  13. We need to figure out a way to curb this reckless behavior, but how?
  15. I have an idea. Remember left-pad? That needs to happen more often.
  17. ![A LaTeX rendering of an equation which sets a reward (in dollars) to the logarithm of weekly downloads over lines of code in base 10 times one hundred](https://l.sr.ht/Fe7o.svg)
  19. I'll pay you cold hard cash to delete your npm module. The exact amount will be
  20. determined on this equation, which is designed to offer higher payouts for
  21. modules with more downloads and fewer lines of code. A condition of this is that
  22. you must delete it without notice, so that everyone who depends on it wakes up
  23. to a broken build.
  25. Let's consider an example: [isArray][0]. It has only four lines of code:
  27. [0]: https://www.npmjs.com/package/isarray
  29. ```javascript
  30. var toString = {}.toString;
  32. module.exports = Array.isArray || function (arr) {
  33.   return toString.call(arr) === '[object Array]';
  34. };
  35. ```
  37. With 51 million downloads this week, this works out to a reward of $710.
  39. To prevent abuse, we'll have to agree to each case in advance. I'll review your
  40. module to make sure it qualifies, and check for any funny business like
  41. suspicious download figures or minified code. We must come to an agreement
  42. *before* you delete the module, since I will not be able to check the line
  43. counts or download numbers after it's gone.
  45. I may also ask you to wait to delete your module, so that the chaos from each
  46. deletion is separated by a few weeks to maximize the impact. Also, the reward is
  47. capped at $1,000, so that I can still pay rent after this.
  49. Do we have a deal? [Click here to apply →](#conclusion)
  51. <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
  52. <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
  53. <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
  54. <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />
  55. <a id="conclusion"></a>
  57. Alright, the gig is up: this is satire. I'm not actually going to pay you to
  58. delete your npm module, nor do I want to bring about a dark winter of chaos in
  59. the Node ecosystem. Plus, [it wouldn't actually work][node response].
  61. [node response]: https://blog.npmjs.org/post/141905368000/changes-to-npms-unpublish-policy
  63. I do hope that this idea strikes fear in the hearts of any Node developers that
  64. read it, and in other programming language communities which have taken after
  65. npm. What are you going to do if one of your dependencies vanishes?  What if
  66. someone studies the minified code on your website, picks out an obscure
  67. dependency they find there, then bribes the maintainers?
  69. Most Node developers have no idea what's in their dependency tree. Most of them
  70. are thousands of entries long, and have never been audited. This behavior is
  71. totally reckless and needs to stop.
  73. Most of my projects have fewer than 100 dependencies, and many have fewer than
  74. 10. Some have zero. This is by design. You can't have a free lunch, I'm afraid.
  75. Adding a dependency is a serious decision which requires consensus within the
  76. team, an audit of the new dependency, an understanding of its health and
  77. long-term prospects, and an ongoing commitment to re-audit them and be prepared
  78. to change course as necessary.
  80. ---
  82. isArray license:
  84. ```
  85. Copyright (c) 2013 Julian Gruber <julian@juliangruber.com>.
  87. Permission is hereby granted, free of charge, to any person obtaining a copy
  88. of this software and associated documentation files (the "Software"), to deal
  89. in the Software without restriction, including without limitation the rights
  90. to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  91. copies of the Software, and to permit persons to whom the Software is
  92. furnished to do so, subject to the following conditions:
  94. The above copyright notice and this permission notice shall be included in all
  95. copies or substantial portions of the Software.
  97. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  98. IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  99. FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  100. AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  101. LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  102. OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  103. SOFTWARE.
  104. ```