GitHub's npm gave away a package name while it was in use, causing rethink

When it comes to ownership then details count


Last December, GitHub recognized that it hadn't revisited the dispute policy for npm packages since acquiring NPM in March, 2020, and in February this year, it suspended transfers of abandoned packages until it could come up with a system that's fair, consistent, and enforceable.

The Microsoft-owned company did so because Andrew Sampson, CEO and co-founder of streaming app Rainway, showed that npm's process was none of those things.

Sampson and other contributors created an open source, cross-platform serialization format called Bebop to support the Rainway app. To ensure the chosen name remained the same across multiple programming languages, they proceeded to register the Bebop package name at various package registries like .Net's NuGet, Rust's Cargo, and Dart's pub.dev.

The name, however, was taken on npm, the registry frequented by JavaScript, Node.js, and TypeScript developers. At the time, npm's advice for handling module name disputes was to email the owner of the relevant package and to send a copy of the message to npm's support address.

"After a few weeks, if there's no resolution, we'll sort it out," the now removed dispute policy explains.

Sampson emailed the listed address, got no response, and four weeks later was rewarded with a note from npm giving over control of the Bebop name.

Bad management

Github's npm team shouldn't have done so because the registry had the wrong email address for the individual who had registered Bebop and had been using it for more than eight years.

"As it turns out, the package was not abandoned," explained Sampson via Twitter. "[Zach Kelling] published it over eight years ago and used it consistently in that time."

According to Sampson, none of the emails associated with Kelling's account received the name inquiry and the email address produced by the command npm owner ls bebop wasn't associated with the package.

"Zach only noticed the ownership had been taken away from his account because an update failed to publish," said Sampson.

Sampson said Kelling opened a ticket with npm support and was told the name would not be returned, but was offered a GitHub Pro subscription and a $100 credit for GitHub merch "for the inconvenience."

"We take our role as stewards of the registry very seriously," a GitHub spokesperson said in an email to The Register. "We are not currently accepting dispute requests to 'adopt an abandoned package' as we re-evaluate and update the overall dispute process, which we’re tracking in our Public Roadmap."

Kelling did not immediately respond to a request for comment.

All wrapped up

Sampson personally ended up compensating Kelling for the name after getting in contact. And Kelling subsequently renamed his original Bebop package "bebop-cli."

Sampson nonetheless expressed concern that the NuGet community is currently trying to implement a similar process for taking over package names and fears it will have the same problems.

"Package adoption creates new avenues for compromising supply chains – registries should not be facilitating it," was the warning. "If a package transfer does need to occur, then the only method to do so should be the owner doing it. The registry itself shouldn't have the ability."

In an email to The Register, Sampson expressed sympathy for GitHub and npm, acknowledging package management and registry operation are both difficult.

"I think mistakes are inevitable at the scale of something like npm," Sampson said. "That being said, their response to the developer that was impacted by their mistake was pretty awful. That is why we ended up paying him $5,000 because I understand that for a developer time is their most valuable commodity, and the undue stress and disruption caused by their mistake likely hampered them for a few days."

Sampson expressed pleasure that npm suspended its transfer process as a result of the incident and noted that the support rep in communications dealt with mentioned that previous incidents of this sort had already prompted changes in npm's processes.

Transfers of control over package names at npm have proven problematic in the past, as the 2019 PureScript incident demonstrates. Other package registries have encountered similar issues.

The Java ecosystem, like some others, has dealt with potential name conflicts through hierarchical namespaces. For example, a Java program will reference com.example.library_name.package_name, as opposed to just package_name. This offers an obvious way to avoid identical package names.

But that convention isn't adopted everywhere and in programming ecosystems that accommodate flat namespaces like "bebop," names accrue brand value as they become popular or just because they're short and memorable. That has the potential to incentivize abuse like name squatting and to encourage developers to take steps to capture, control, and perhaps speculate on "great names."

"I think it is a hard problem to solve," said Sampson. "Should a package name be lost forever simply because someone registered it over a decade ago and never actually used it? What happens if the owner of a popular package dies and they never assigned other primary contributors, is a fork now forced by the community? There is a lot of nuance involved here. People much smarter than me will figure out a system that works – that is the beauty of open source." ®

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021