[BUG] Packages with names that collide with CLI commands introduce vulnerabilities into projects by mistake

[ficocelliguy]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

The CLI command npm install update does not add missing packages and then update all dependencies to the latest version, as might be intuitive. Instead, it adds 55 vulnerabilities (8 low, 2 moderate, 42 high, 3 critical) to the project.

The update package, which is the source of the confusion, is abandonware from seven years ago. None of the hundred-odd dependents on this project are actually using it, as visible by the lack of an updatefile.js in their projects. These dependents all have about one weekly download. However, the update package itself has over 35,000 downloads per week, despite not being maintained or used. Thus, this is apparently a common problem that NPM users run into.

https://www.npmjs.com/package/update

The install package has a staggering 500,000 weekly downloads and 1600 dependents, despite being a tiny require() utility, abandoned 5 years ago, whose features are now already part of core JS, and is not apparently utilized by its dependents.

Similarly, the build package has 39,000 weekly downloads, has not been updated in twelve years and is explicitly not maintained in its docs, and is not apparently being used in its hundreds of dependents. it adds one high and three critical vulnerabilities.

The clean package has 15,000 weekly downloads, and support was dropped eight years ago.

The start package has 12,000 weekly downloads, has not been maintained in seven years, and has no evidence of being used in its dependence.

In addition to the unneeded added install time and growth of node_modules and package-lock files, these common mistaken installs add vulnerabilities to a large number of projects.

Expected Behavior

The best solution is to prevent npm reserved words from being used as package names (or at least, the most common ones). Packages currently using those names, unless they are actively maintained in at least the last half-decade, should be re-named for clarity.

Another possible solution is to add aliases to install and update commands to handle these common mistakes specifically. e.g. npm install update should just run the update target, and npm install clean should run npm ci. npm install install or npm i install should simply run npm i. If people need these abandoned libraries for some reason, they could use npm install update@latest or npm install --save update

Steps To Reproduce

1. In a new npm init environment
2. Run npm install update
3. Observe vulnerability reports in install logging

[ficocelliguy]

@wraithgar @ljharb I'm interested in your thoughts on this, in regards to the recent discussion of protecting npm's cli reserved words on #7202

[ljharb]

There’s all sorts of packages people mistakenly install that they don’t need, like node builtins (see npmjs.com/fs). This isn’t a problem that’s fixable with a technical restriction.