GitHub's npm gave away a package name while it was in use, causing rethink

When it comes to ownership then details count


Last December, GitHub recognized that it hadn't revisited the dispute policy for npm packages since acquiring NPM in March, 2020, and in February this year, it suspended transfers of abandoned packages until it could come up with a system that's fair, consistent, and enforceable.

The Microsoft-owned company did so because Andrew Sampson, CEO and co-founder of streaming app Rainway, showed that npm's process was none of those things.

Sampson and other contributors created an open source, cross-platform serialization format called Bebop to support the Rainway app. To ensure the chosen name remained the same across multiple programming languages, they proceeded to register the Bebop package name at various package registries like .Net's NuGet, Rust's Cargo, and Dart's pub.dev.

The name, however, was taken on npm, the registry frequented by JavaScript, Node.js, and TypeScript developers. At the time, npm's advice for handling module name disputes was to email the owner of the relevant package and to send a copy of the message to npm's support address.

"After a few weeks, if there's no resolution, we'll sort it out," the now removed dispute policy explains.

Sampson emailed the listed address, got no response, and four weeks later was rewarded with a note from npm giving over control of the Bebop name.

Bad management

Github's npm team shouldn't have done so because the registry had the wrong email address for the individual who had registered Bebop and had been using it for more than eight years.

"As it turns out, the package was not abandoned," explained Sampson via Twitter. "[Zach Kelling] published it over eight years ago and used it consistently in that time."

According to Sampson, none of the emails associated with Kelling's account received the name inquiry and the email address produced by the command npm owner ls bebop wasn't associated with the package.

"Zach only noticed the ownership had been taken away from his account because an update failed to publish," said Sampson.

Sampson said Kelling opened a ticket with npm support and was told the name would not be returned, but was offered a GitHub Pro subscription and a $100 credit for GitHub merch "for the inconvenience."

"We take our role as stewards of the registry very seriously," a GitHub spokesperson said in an email to The Register. "We are not currently accepting dispute requests to 'adopt an abandoned package' as we re-evaluate and update the overall dispute process, which we’re tracking in our Public Roadmap."

Kelling did not immediately respond to a request for comment.

All wrapped up

Sampson personally ended up compensating Kelling for the name after getting in contact. And Kelling subsequently renamed his original Bebop package "bebop-cli."

Sampson nonetheless expressed concern that the NuGet community is currently trying to implement a similar process for taking over package names and fears it will have the same problems.

"Package adoption creates new avenues for compromising supply chains – registries should not be facilitating it," was the warning. "If a package transfer does need to occur, then the only method to do so should be the owner doing it. The registry itself shouldn't have the ability."

In an email to The Register, Sampson expressed sympathy for GitHub and npm, acknowledging package management and registry operation are both difficult.

"I think mistakes are inevitable at the scale of something like npm," Sampson said. "That being said, their response to the developer that was impacted by their mistake was pretty awful. That is why we ended up paying him $5,000 because I understand that for a developer time is their most valuable commodity, and the undue stress and disruption caused by their mistake likely hampered them for a few days."

Sampson expressed pleasure that npm suspended its transfer process as a result of the incident and noted that the support rep in communications dealt with mentioned that previous incidents of this sort had already prompted changes in npm's processes.

Transfers of control over package names at npm have proven problematic in the past, as the 2019 PureScript incident demonstrates. Other package registries have encountered similar issues.

The Java ecosystem, like some others, has dealt with potential name conflicts through hierarchical namespaces. For example, a Java program will reference com.example.library_name.package_name, as opposed to just package_name. This offers an obvious way to avoid identical package names.

But that convention isn't adopted everywhere and in programming ecosystems that accommodate flat namespaces like "bebop," names accrue brand value as they become popular or just because they're short and memorable. That has the potential to incentivize abuse like name squatting and to encourage developers to take steps to capture, control, and perhaps speculate on "great names."

"I think it is a hard problem to solve," said Sampson. "Should a package name be lost forever simply because someone registered it over a decade ago and never actually used it? What happens if the owner of a popular package dies and they never assigned other primary contributors, is a fork now forced by the community? There is a lot of nuance involved here. People much smarter than me will figure out a system that works – that is the beauty of open source." ®

Broader topics


Other stories you might like

  • VMware claims 'bare-metal' performance on virtualized GPUs
    Is... is that why Broadcom wants to buy it?

    The future of high-performance computing will be virtualized, VMware's Uday Kurkure has told The Register.

    Kurkure, the lead engineer for VMware's performance engineering team, has spent the past five years working on ways to virtualize machine-learning workloads running on accelerators. Earlier this month his team reported "near or better than bare-metal performance" for Bidirectional Encoder Representations from Transformers (BERT) and Mask R-CNN — two popular machine-learning workloads — running on virtualized GPUs (vGPU) connected using Nvidia's NVLink interconnect.

    NVLink enables compute and memory resources to be shared across up to four GPUs over a high-bandwidth mesh fabric operating at 6.25GB/s per lane compared to PCIe 4.0's 2.5GB/s. The interconnect enabled Kurkure's team to pool 160GB of GPU memory from the Dell PowerEdge system's four 40GB Nvidia A100 SXM GPUs.

    Continue reading
  • Nvidia promises annual updates across CPU, GPU, and DPU lines
    Arm one year, x86 the next, and always faster than a certain chip shop that still can't ship even one standalone GPU

    Computex Nvidia's push deeper into enterprise computing will see its practice of introducing a new GPU architecture every two years brought to its CPUs and data processing units (DPUs, aka SmartNICs).

    Speaking on the company's pre-recorded keynote released to coincide with the Computex exhibition in Taiwan this week, senior vice president for hardware engineering Brian Kelleher spoke of the company's "reputation for unmatched execution on silicon." That's language that needs to be considered in the context of Intel, an Nvidia rival, again delaying a planned entry to the discrete GPU market.

    "We will extend our execution excellence and give each of our chip architectures a two-year rhythm," Kelleher added.

    Continue reading
  • Amazon puts 'creepy' AI cameras in UK delivery vans
    Big Bezos is watching you

    Amazon is reportedly installing AI-powered cameras in delivery vans to keep tabs on its drivers in the UK.

    The technology was first deployed, with numerous errors that reportedly denied drivers' bonuses after malfunctions, in the US. Last year, the internet giant produced a corporate video detailing how the cameras monitor drivers' driving behavior for safety reasons. The same system is now apparently being rolled out to vehicles in the UK. 

    Multiple camera lenses are placed under the front mirror. One is directed at the person behind the wheel, one is facing the road, and two are located on either side to provide a wider view. The cameras are monitored by software built by Netradyne, a computer-vision startup focused on driver safety. This code uses machine-learning algorithms to figure out what's going on in and around the vehicle.

    Continue reading
  • AWS puts latest homebrew ‘Graviton 3’ Arm CPU in production
    Just one instance type for now, but cheaper than third-gen Xeons or EPYCs

    Amazon Web Services has made its latest homebrew CPU, the Graviton3, available to rent in its Elastic Compute Cloud (EC2) infrastructure-as-a-service offering.

    The cloud colossus launched Graviton3 at its late 2021 re:Invent conference, revealing that the 55-billion-transistor device includes 64 cores, runs at 2.6GHz clock speed, can address DDR5 RAM and 300GB/sec max memory bandwidth, and employs 256-bit Scalable Vector Extensions.

    The chips were offered as a tech preview to select customers. And on Monday, AWS made them available to all comers in a single instance type named C7g.

    Continue reading
  • Beijing reverses ban on tech companies listing offshore
    Announcement comes as Chinese ride-hailing DiDi Chuxing delists from NYSE under pressure

    The Chinese government has announced that it will again allow "platform companies" – Beijing's term for tech giants – to list on overseas stock markets, marking a loosening of restrictions on the sector.

    "Platform companies will be encouraged to list on domestic and overseas markets in accordance with laws and regulations," announced premier Li Keqiang at an executive meeting of China's State Council – a body akin to cabinet in the USA or parliamentary democracies.

    The statement comes a week after vice premier Liu He advocated technology and government cooperation and a digital economy that supports an opening to "the outside world" to around 100 members of the Chinese People's Political Consultative Congress (CPPCC).

    Continue reading

Biting the hand that feeds IT © 1998–2022