15 votes

I will pay you cash to delete your npm module

11 comments

  1. [2]
    hungariantoast
    (edited )
    Link
    Also: ‘No way to prevent this’, Says Only Development Community Where This Regularly Happens EDIT: Drew updated the article:

    Also: ‘No way to prevent this’, Says Only Development Community Where This Regularly Happens

    EDIT: Drew updated the article:

    Alright, the gig is up: this is satire. I’m not actually going to pay you to delete your npm module, nor do I want to bring about a dark winter of chaos in the Node ecosystem. Plus, it wouldn’t actually work.

    15 votes
    1. babypuncher
      Link Parent
      This is amusing, and clearly inspired by an article the Onion publishes every time there is a mass shooting.

      This is amusing, and clearly inspired by an article the Onion publishes every time there is a mass shooting.

      5 votes
  2. [4]
    Wes
    (edited )
    Link
    I understand making a point, but this just seems destructive. Just cache your node modules; it's not that big of a deal. The author, Drew DeVault, also runs a public git hosting service. If...

    I understand making a point, but this just seems destructive. Just cache your node modules; it's not that big of a deal.

    The author, Drew DeVault, also runs a public git hosting service. If someone expresses the goal of "causing chaos", it would sure give me pause before trusting them with my code. What if tomorrow he decides git is an antipattern and burns that down instead?

    8 votes
    1. [3]
      skybrian
      Link Parent
      I had a Mastodon account on his server, after he offered it on Hacker News. I didn't use it much, but one day I went back and the server had disappeared, without notice. I doubt that would happen...

      I had a Mastodon account on his server, after he offered it on Hacker News. I didn't use it much, but one day I went back and the server had disappeared, without notice.

      I doubt that would happen for the git hosting service since more people are using it, but it would make me a bit hesitant.

      4 votes
      1. admicos
        Link Parent
        He did give notice though.... ... on his personal Mastodon account. If you didn't check that, and from the comment it doesn't seem like you did, I totally expect it would feel "unprompted"....

        I went back and the server had disappeared, without notice.

        He did give notice though....

        ... on his personal Mastodon account.

        If you didn't check that, and from the comment it doesn't seem like you did, I totally expect it would feel "unprompted".

        Personally, I might've sent an email or something to all registered people, but I don't have any "big" hosted thing, so I don't know if there would be any better ways to do so.

        3 votes
      2. vegai
        Link Parent
        People are actually paying for the git service. Of course it's not gonna just go away.

        People are actually paying for the git service. Of course it's not gonna just go away.

        2 votes
  3. spit-evil-olive-tips
    Link
    the example module he quotes is kind of funny: var toString = {}.toString; module.exports = Array.isArray || function (arr) { return toString.call(arr) === '[object Array]'; }; so by default it...

    the example module he quotes is kind of funny:

    var toString = {}.toString;
    
    module.exports = Array.isArray || function (arr) {
      return toString.call(arr) === '[object Array]';
    };
    

    so by default it simply uses the built-in Array.isArray method.

    if that's not defined, it has a fallback, which is...checking if its stringified representation is [object Array]. oof. it works, I guess.

    but that native isArray method has been around since Chrome version 5, Firefox version 4, and IE 9. which seems to have been 2010 or 2011 based on this and this.

    how many of the people using that module realize there's a built-in they can use instead, that'll work perfectly on any browser that's not 10 years old?

    5 votes
  4. skybrian
    Link
    Go's module proxy would prevent this. You effectively don't get to delete a module yourself once it's published. (Though they might make exceptions on a case-by-case basis when contacted about a...

    Go's module proxy would prevent this. You effectively don't get to delete a module yourself once it's published. (Though they might make exceptions on a case-by-case basis when contacted about a malicious module.)

    2 votes
  5. scrambo
    Link
    I wonder if this is going to cause any more outages..... Do you think ~$1K USD is enough motivation for someone to pull their package from NPM? Will this cause "a great flattening" of NPM...

    I wonder if this is going to cause any more outages..... Do you think ~$1K USD is enough motivation for someone to pull their package from NPM? Will this cause "a great flattening" of NPM dependencies or simply make people laugh and move on through their day? Will NPM change? Find out next week!

    1 vote
  6. teaearlgraycold
    Link
    This ends up punishing the wrong people. I try to make sane decisions about what to turn to NPM for and what to write myself. But somewhere down the dependency tree an idiot developer couldn't...

    This ends up punishing the wrong people. I try to make sane decisions about what to turn to NPM for and what to write myself. But somewhere down the dependency tree an idiot developer couldn't figure out if a value is an array or not on their own and now I need to pay for that?

    1 vote