Twitter | Search | |
This is the legacy version of twitter.com. We will be shutting it down on 15 December 2020. Please switch to a supported browser or device. You can see a list of supported browsers in our Help Center.
Laurie Voss
A major international bank accidentally published a private package of their own to the public npm Registry, took *3 years* to notice, and then sent DMCA takedown notices to Amazon and Cloudflare for hosting "stolen code". Now I have to pay a lawyer to explain this to them.
Reply Retweet Like More
Laurie Voss 11 Mar 19
Replying to @seldo
We sell a thing that prevents this kind of mistake, it is called npm Enterprise, you should all really look into it instead of making me spend money to explain how npm publish works to your lawyer.
Reply Retweet Like
Laurie Voss 11 Mar 19
Replying to @seldo
(I should make clear that this kind of legal confusion happens ALL THE TIME and is a genuine source of overhead in running the registry)
Reply Retweet Like
Laurie Voss 11 Mar 19
Replying to @seldo
Our lawyer is also going to need to explain to a bank why a React package does not constitute "Stolen Financial Credentials" oh lord
Reply Retweet Like
Laurie Voss 11 Mar 19
Replying to @jxxf
No. Honestly, I shouldn't even have tweeted about this one, even though it wasn't a "real" DMCA notice. Most DMCAs we get are valid, people do in fact post actual stolen code pretty often.
Reply Retweet Like
Antonín J. 🌈 11 Mar 19
Replying to @seldo
quick question, when did NPM add support for private packages?
Reply Retweet Like
Laurie Voss 11 Mar 19
Replying to @AntJanus
2014.
Reply Retweet Like
Rick Waldron 11 Mar 19
Replying to @seldo
Wow, this is obnoxious.
Reply Retweet Like
Laurie Voss 11 Mar 19
Replying to @rwaldron
Me or them?
Reply Retweet Like
Anthony Maton 11 Mar 19
Replying to @seldo
This is the exact reason why where I work, the corporate proxy prevents pushing to npm and all publication of company code is done through a regulated delivery pipeline. I hope this won't cost npm too much :(
Reply Retweet Like
Laurie Voss 11 Mar 19
Replying to @_anthonymaton
The package in question contains a README with details of the company's own proxy for the same purpose, so presumably such measures are not 100% effective.
Reply Retweet Like