When "Everything" Goes Wrong: NPM Dependency-Hell Campaign – 2024 Edition
January 2024 by Checkmarx
This act of digital mischief by PatrickJS echoes past incidents, highlighting ongoing challenges in package management and the cascading effects of dependencies within the NPM ecosystem. The situation underlines the comedic yet serious consequences of such pranks in the developer community.
NPM user account gdi2290, aka PatrickJS, published a troll campaign to the NPM registry by uploading a package named "everything", which relies on every other public NPM package, resulting in millions of transitive dependencies.
This leads to Denial of Service (DOS) for those who install "everything, "which causes issues like storage space exhaustion and disruptions in build pipelines.
The creators of the "everything" package have published over 3000 sub-packages. These sub-packages are designed to split the dependencies into chunks and to depend on all publicly available NPM registry packages.
The creators have also registered the domain https://everything.npm.lol/. On this website, they showcase the ensuing chaos and incorporate a famous meme from The Elder Scrolls V: Skyrim, adding an extra layer of humour or mockery to the situation.
Not the first time this has happened
A year ago, we encountered a situation with the package "no-one-left-behind" by Zalastax. This package depended on every publicly available npm package, creating an intricate web of dependencies. Despite being removed by the npm security team, a new development emerged on Jan 28th, 2023. Over 33,000 packages under the scope "infinitebrahmanuniverse," prefixed with "nolb-," surfaced as sub-packages of "no-one-left-behind."
The downsides of these trolls
Imagine you did an experiment, published a package to NPM and now you want to remove your NPM package. You can’t do it if other packages are using it. The problem is, since "everything" relies on every package (including yours), your package gets stuck, and there’s some unknown package preventing you from removing it.
An attempt to delete the packages
It doesn’t seem PatrickJS realized the headache his troll would cause to some users. Two days after the prank packages were published, he created an issue and shared that he is unable to delete the packages since the NPM mechanism prevents deletion of published packages once they are being used by other projects and calls for help from NPM support team.