Recently, I was browsing through NPM (what?) when I came across some really interesting and fascinating packages. Of course, I left the most interesting one to the last π¬.
is-positive
This was the package that initiated my deep dive into the depths of NPM's 683162 packages (it's probably more by the time I post this).
As it turns out, this package does indeed return whether the argument is positive.
const isPositive = require('is-positive');
isPositive(1);
//=> true
And that's all it does. I pondered about the possible use-cases of this package, because apparently, there are many.
I discovered another hidden gem when looking through the Dependents
section that NPM provides (there were 4 of them).
is-not-positive
This package simply does the exact opposite of what is-positive
does. Its description is incredibly apt.
is-negative
This being JavaScript, being non-positive probably doesn't mean being negative, so a new package had to be created to check for negativity.
This package's negativity was even apparent through its weekly downloads, which are considerably less than its more radiant counterpart.
true
This is where the true
fun begins. I stumbled across this quite by accident after entering a few other search queries like "is-wrong
" and "woah
". It turns out that this is actually a port of the Unix utility true
.
As with all Unix utilities, its usage was quite easy to grasp.
var t = require('./true')
var myTrueValue = t();
console.log(myTrueValue === true); // Logs 'true'
However, I felt that this package looked a bit shadier than the rest due to its use of var
. Thus, I decided to take a look at some of the open issues on its GitHub. You won't believe what happened next.
I felt betrayed.
As it turns out, there was a critical vulnerability in the code, discovered by Patrick Steele-Idem, who spent hours tracing down the problem down.
It turns out that another library had contained the following code, which caused true
to return false
.
require.cache[require.resolve('true')].exports = function() {
return false;
};
Luckily, he came up with a very quick fix that solved this issue.
setInterval(function() {
if (require('true')() !== true) {
// Fix it!
require.cache[require.resolve('true')].exports = function() {
return true;
};
}
}, 10);
Conclusion
Overall, (re)discovering all these wonderful packages has been a very rewarding experience for me. I will probably never do this again.
Top comments (18)
node_modules frightens me.
A simple npm/yarn install can yield thousands of depdencies... any one of which could cause the whole app to fail. It's a wonder anything works at all, really.
You won't believe how many datetimepicker packages that barely even work are out there. It's easier to implement your own than going through all of them datetimepickers.
Once You've written it, be sure to publish it to NPM!
NPM and GitHub are full of junk. Not just abandoned, pointless or broken packages, but silly/joke packages as well.
This may be fun at first, until you read this:
hackernoon.com/im-harvesting-credi...
It actually happened:
I don't know what to say. #116
@dominictarr Why was @right9ctrl given access to this repo? He added flatmap-stream which is entirely (1 commit to the repo but has 3 versions, the latest one removes the injection, unmaintained, created 3 months ago) an injection targeting ps-tree. After he adds it at almost the exact same time the injection is added to
flatmap-stream
, he bumps the version and publishes. Literally the second commit (3 days later) after that he removes the injection and bumps a major version so he can clear the repo of havingflatmap-stream
but still have everyone (millions of weekly installs) using 3.x affected.@right9ctrl If you removed flatmap-stream because your realized it was an injection attack why didn't you yank
event-stream@3.3.6
from npm and put a PSA? If you didn't know, why did you choose to use a completely unused/unknown library (0 downloads on npm until you use it)? If I had the exact date from npm in whichflatmap-stream@0.1.1
was published I wouldn't be asking you questions.I've included a break down of what I have so far on
flatmap-stream
below. It includes the portion of code not found in the unminified source offlatmap-stream@0.1.1
but found in the minified source. The code has been cleaned up a little to get a better understanding.The worst part is I still don't even know what this does... The decrypted data n[0] is byte code or something, not regular javascript, or maybe I'm just not handling it correctly.
For me the only one is left-pad who broke the internet in 2016, and I heard is was not even good code :)).
Now is even worse because the front end devs, for webpack and other utilities are using and writing more useless packages.
Now I feel the need to defend my solution of adding runtime code to ensure that a critical npm package is working as expected. I'm sure there are lots of developers out there that think that this kind of check is not needed, but what I like to remind people is that a system can fail for any number of reasons (CPUs can make mistakes or a bit can be flipped in memory due to an electrical surge). I usually don't work on software where people's lives depends on it, but I like to code as though I do. And for that, defensive programming is key. Not only do I add runtime checks in all of my functions to detect runtime bugs, I also like to add code that will look back at the call trace and fix the problematic code by patching code using heuristics and sophisticated algorithms to prevent problems from spreading to other parts of the system. I've been coding for years and this strategy has served me well.
Ah I see. Defensive programming is indeed the future.
Very Interesting, I will tried
This has to be a joke?
Yes, it is π
Phew, I admit, I had my logical brain on, the one with no sense of humour. Safe to say I had a weekend and feeling better π€
Glad that you are feeling better :)
All these packages are meant to be used in composition when doing functional programming.
Ahhh... that makes a lot more sense!
You made my day man, thank you
Hilarious! Thanks for sharing.