What happens to abandoned packages? #82

joshbressers · 2020-11-03T20:06:29Z

joshbressers
Nov 3, 2020

Hi all,

The package trim has a recently reported security vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2020-7753

It's fairly widely used (3.5M weekly downloads) and appears to be an abandoned package as it's not seen any commits in over 8 years.

There is a PR to fix this problem from a community member that I verified works as expected. There is an open PR that's been open since 2016, the last PR was closed in 2014.

In this particular instance the security vulnerability isn't critical, I don't think any rushed decisions need to be made.

Does npm have an unresponsive maintainer policy or process?

An example of prior art here is Fedora's Non-responsive maintainer policy
https://docs.fedoraproject.org/en-US/fesco/Policy_for_nonresponsive_package_maintainers/

Answered by MylesBorins

Nov 17, 2023

Our current stance is that unmaintained packages will remain unmaintained. As stewards of the registry it is not in our purview to maintain packages created by others nor should we be making a decision regarding a future maintainer.

We do have a naming dispute policy and also accept trademark disputes as per GitHub's trademark policy.

From the policy

This process is not available for dispute requests due to lack of activity related to a specific name.

Please also note there are cases where a party may have claim to a specific name, but giving that name to the requesting party would pose a supply-chain risk to the npm ecosystem. In such cases, requests may be denied independent of the val…

View full answer

Ethan-Arrowood · 2020-11-03T20:49:07Z

Ethan-Arrowood
Nov 3, 2020

In the past I've seen efforts to move these projects to the Node package maintenance group (or other similar groups) for support

0 replies

MylesBorins · 2020-11-03T21:19:22Z

MylesBorins
Nov 3, 2020

Hey @joshbressers thanks for opening this. I'm going to ping some internal folks and figure out how we have handled this historically and how we should handle this in the future.

8 replies

MylesBorins Jul 19, 2021

@Sti2nd the process has changed since this issue was opened. We opted to move towards not allowing adoption of abandoned pacakges as it was an attack vector for folks could use for a supply chain attack.

Aeolun Mar 23, 2023

I'm not sure if the solution isn't worse than the problem. You've traded the potential for a supply chain attack for guaranteed vulnerabilities/attacks on everyone using abandoned packages.

ClementValot Nov 16, 2023

I feel like there's still a discussion to be had there.

Leaving unmaintained packages as-is

lowers the overall quality of the code on the npm registry
leads towards an explosion in the number of forks and near-copies of a given package

Which doesn't look sustainable for npm :/

What's the official stance 2 years later @MylesBorins ?

Aeolun Nov 17, 2023

Maybe you can have something like a warning after 2-3 years of inactivity where the package is automatically deprecated for a year, and then removed entirely.

You’d still get people re-registering the name but maybe NPM can have some sort of internal uuid for the ‘instance’ of the package name that you are downloading. If NPM detects that the instance/owner changed, then people would have to re-approve downloading and installing it.

I guess you can do the same thing without the whole deprecation thing. Just require everyone to re-approve package versions where the owner changed during update.

MylesBorins Nov 17, 2023

Please refer to my most recent response

#82 (comment)

cassidoo · 2020-11-03T21:30:34Z

cassidoo
Nov 3, 2020

I'd love more clarity on this as well. There's tons of old React packages squatting on package names that haven't been updated in years, it'd be nice to be able to replace those after a certain amount of inactivity.

1 reply

mcollina Nov 4, 2020

The process is fairly simple and I've done it myself a few times. Pick a module that was not updated in the last few years and follow https://www.npmjs.com/policies/disputes - it's really effective and you'll get an answer in a month.

MylesBorins · 2023-11-17T15:22:15Z

MylesBorins
Nov 17, 2023

Our current stance is that unmaintained packages will remain unmaintained. As stewards of the registry it is not in our purview to maintain packages created by others nor should we be making a decision regarding a future maintainer.

We do have a naming dispute policy and also accept trademark disputes as per GitHub's trademark policy.

From the policy

This process is not available for dispute requests due to lack of activity related to a specific name.

Please also note there are cases where a party may have claim to a specific name, but giving that name to the requesting party would pose a supply-chain risk to the npm ecosystem. In such cases, requests may be denied independent of the validity of the claim.

Claims to unused names or trademark disputes are handled on a case-by-case basis by a trained staff who specialize in the npm registry.

We are not considering any changes to this policy at this time.

2 replies

ClementValot Nov 19, 2023

I can't see how that is sustainable long-term and hope you lads have this issue on your mind internally 🙏

Aeolun Nov 20, 2023

In 20 years, NPM will be a graveyard of broken promises.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

What happens to abandoned packages? #82

{{title}}

Replies: 4 comments 11 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

What happens to abandoned packages? #82

Replies: 4 comments · 11 replies

Replies: 4 comments 11 replies