GitHub’s npm Gave Away A Package Name While It Was In Use

Last December, GitHub recognized that it hadn’t revisited the dispute policy for npm packages since acquiring NPM in March 2020, and in February this year, it suspended transfers of abandoned packages until it could come up with a system that’s consistent, enforceable, and, fair.

They did so because Andrew, CEO, and co-founder of streaming app Rainway, pointed that npm’s process was none of those things.

Sampson and other contributors built an open-source, cross-platform serialization format called Bebop to help the Rainway app. To ensure the chosen name continued the same across various programming languages, he moved to register the Bebop package name at various package registries like .Net’s NuGet, Rust’s Cargo, and Dart’s

The name, though, was taken on npm, the registry frequented by JavaScript, Node.js, and TypeScript developers. At the time, npm’s guidance for handling module name disputes was to email the owner of the appropriate package and to send a copy of the message to npm’s support address.

“After a few weeks, if there’s no resolution, we’ll sort it out,” the now removed dispute policy explains.

Sampson emailed the listed address, got no reply, and four weeks later was rewarded with a note from npm giving him control of the Bebop name.

Do You Know About This: GitHub Copilot Is ‘Unacceptable And Unjust’ Says Free Software Foundation

Github’s npm team shouldn’t have done so because the registry had the incorrect email address for the person who had registered Bebop and had been using it for more than eight years.

“As it turns out, the package was not abandoned,” revealed Sampson via Twitter. “[Zach Kelling] published it over eight years ago and used it consistently in that time.”

According to Sampson, none of the emails linked with Kelling’s account got the name inquiry and the email address generated by the command npm owner ls bebop wasn’t linked with the package.

“Zach only noticed the ownership had been taken away from his account because an update failed to publish,” Sampson said on twitter.

Screenshot 2022 01 29 143837

Sampson said Kelling initiated a ticket with npm support and was told he would not get the name back, but was granted a GitHub Pro subscription and a $100 credit for GitHub merch “for the inconvenience.”

“We take our role as stewards of the registry very seriously,” a GitHub spokesperson said in an email to The Register. “We are not currently accepting dispute requests to ‘adopt an abandoned package’ as we re-evaluate and update the overall dispute process, which we’re tracking in our Public Roadmap.”

Kelling did not quickly react to a request for comment.

Sampson said he settled up compensating Kelling for the name after he reached out directly. And Kelling subsequently renamed his original Bebop package “bebop-cli.”

Sampson although expressed concern that the NuGet community is currently trying to implement a similar process for taking over package names and he worries it will have the same problems.

“Package adoption creates new avenues for compromising supply chains – registries should not be facilitating it,” he wrote. “If a package transfer does need to occur, then the only method to do so should be the owner doing it. The registry itself shouldn’t have the ability.”

Do You Know About This: GitHub Copilot Generated Insecure Code In 40% Of Circumstances During Experiment

In an email to The Register, Sampson expressed sympathy for GitHub and npm, accepting package management and registry operation are both difficult.

“I think mistakes are inevitable at the scale of something like npm,” he said. “That being said, their response to the developer that was impacted by their mistake was pretty awful. That is why we ended up paying him $5,000 because I understand that for a developer time is their most valuable commodity, and the undue stress and disruption caused by their mistake likely hampered them for a few days.”

He said he was happy npm suspended its transfer process as a consequence of the incident and noted that the support rep he dealt with suggested that past incidents of this sort had already indicated changes in npm’s processes.

Transfers of authority over package names at npm have proven problematic in the past, as the 2019 PureScript incident demonstrates. Other package registries have faced similar problems.

The Java ecosystem, like some others, has dealt with possible name conflicts through hierarchical namespaces. For example, a Java program will reference com.example.library_name.package_name, as opposed to just package_name. This suggests a simple way to avoid identical package names.

But that convention isn’t used everywhere and in programming ecosystems that contain flat namespaces like “bebop,” names accrue brand value as they grow big or just because they’re short and memorable. That has the potential to incentivize abuse like name squatting and to support developers to take steps to capture, control, and perhaps speculate on “great names.”

“I think it is a hard problem to solve,” said Sampson. “Should a package name be lost forever simply because someone registered it over a decade ago and never actually used it? What happens if the owner of a popular package dies and they never assigned other primary contributors, is a fork now forced by the community? There is a lot of nuances involved here. People much smarter than me will figure out a system that works – that is the beauty of open source.”

Help Someone By Sharing This Article