Bars Icon

‘everything’ blocks devs from removing their own npm packages

17-01-2024 11:40 AM

Over the holidays, the npm package registry was flooded with more than 3,000 packages, including one called “everything,” and others named a variation of the word.
The package is quite aptly named as downloading “everything” will gradually pull in every single npm package that’s ever been published to the npmjs.com registry onto your computer, potentially making it run out of storage. But, that’s just the tip of the iceberg.
If you’re asking, “But who would install ‘everything’?”—that ignores a bigger side-effect of the package.
Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of npm’s policy.

everything prevents you from unpublishing your packages

What may have started as a simple prank, ended up having bigger repercussions for all authors across the npm ecosystem.
Installing everything could have just caused your computer to potentially fall short of storage space and slow down, but the package’s mere existence on npmjs.com prevents authors—unrelated to this package whatsoever, from unpublishing their packages from the world’s largest JavaScript software registry.

The “everything” package has just 5 sub-packages, published under the “@everything-registry” scope, listed as its dependencies, BleepingComputer has observed.
These 5 packages, however, gradually manage to pull in every single package present on the entire registry as a dependency. For example, “everything” pulls in “@everything-registry/chunk-2,” which may further attempt to pull in several other packages by the same author, such as “@everything-registry/sub-chunk-1623.”

Each of these sub-packages (or “chunks” as the author calls them), ultimately includes about 800 npm projects as their dependency.
Considering the author of “everything” has published 3,000 plus such packages (chunks), each with hundreds of dependencies, a single `npm install everything` command will start resolving, what’s referred to as transitive dependencies, and end up downloading millions of packages.