You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The CLI command npm install update does not add missing packages and then update all dependencies to the latest version, as might be intuitive. Instead, it adds 55 vulnerabilities (8 low, 2 moderate, 42 high, 3 critical) to the project.
The update package, which is the source of the confusion, is abandonware from seven years ago. None of the hundred-odd dependents on this project are actually using it, as visible by the lack of an updatefile.js in their projects. These dependents all have about one weekly download. However, the update package itself has over 35,000 downloads per week, despite not being maintained or used. Thus, this is apparently a common problem that NPM users run into.
The install package has a staggering 500,000 weekly downloads and 1600 dependents, despite being a tiny require() utility, abandoned 5 years ago, whose features are now already part of core JS, and is not apparently utilized by its dependents.
Similarly, the build package has 39,000 weekly downloads, has not been updated in twelve years and is explicitly not maintained in its docs, and is not apparently being used in its hundreds of dependents. it adds one high and three critical vulnerabilities.
The clean package has 15,000 weekly downloads, and support was dropped eight years ago.
The start package has 12,000 weekly downloads, has not been maintained in seven years, and has no evidence of being used in its dependence.
In addition to the unneeded added install time and growth of node_modules and package-lock files, these common mistaken installs add vulnerabilities to a large number of projects.
Expected Behavior
The best solution is to prevent npm reserved words from being used as package names (or at least, the most common ones). Packages currently using those names, unless they are actively maintained in at least the last half-decade, should be re-named for clarity.
Another possible solution is to add aliases to install and update commands to handle these common mistakes specifically. e.g. npm install update should just run the update target, and npm install clean should run npm ci. npm install install or npm i install should simply run npm i. If people need these abandoned libraries for some reason, they could use npm install update@latest or npm install --save update
Steps To Reproduce
In a new npm init environment
Run npm install update
Observe vulnerability reports in install logging
The text was updated successfully, but these errors were encountered:
There’s all sorts of packages people mistakenly install that they don’t need, like node builtins (see npmjs.com/fs). This isn’t a problem that’s fixable with a technical restriction.
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
The CLI command
npm install update
does not add missing packages and then update all dependencies to the latest version, as might be intuitive. Instead, it adds55 vulnerabilities (8 low, 2 moderate, 42 high, 3 critical)
to the project.The
update
package, which is the source of the confusion, is abandonware from seven years ago. None of the hundred-odd dependents on this project are actually using it, as visible by the lack of anupdatefile.js
in their projects. These dependents all have about one weekly download. However, theupdate
package itself has over 35,000 downloads per week, despite not being maintained or used. Thus, this is apparently a common problem that NPM users run into.https://www.npmjs.com/package/update
The
install
package has a staggering 500,000 weekly downloads and 1600 dependents, despite being a tiny require() utility, abandoned 5 years ago, whose features are now already part of core JS, and is not apparently utilized by its dependents.Similarly, the
build
package has 39,000 weekly downloads, has not been updated in twelve years and is explicitly not maintained in its docs, and is not apparently being used in its hundreds of dependents. it adds one high and three critical vulnerabilities.The
clean
package has 15,000 weekly downloads, and support was dropped eight years ago.The
start
package has 12,000 weekly downloads, has not been maintained in seven years, and has no evidence of being used in its dependence.In addition to the unneeded added install time and growth of node_modules and package-lock files, these common mistaken installs add vulnerabilities to a large number of projects.
Expected Behavior
The best solution is to prevent npm reserved words from being used as package names (or at least, the most common ones). Packages currently using those names, unless they are actively maintained in at least the last half-decade, should be re-named for clarity.
Another possible solution is to add aliases to
install
andupdate
commands to handle these common mistakes specifically. e.g.npm install update
should just run the update target, andnpm install clean
should runnpm ci
.npm install install
ornpm i install
should simply runnpm i
. If people need these abandoned libraries for some reason, they could usenpm install update@latest
ornpm install --save update
Steps To Reproduce
npm init
environmentnpm install update
The text was updated successfully, but these errors were encountered: