Willow (GHOST)
🧙🏼♀️Working on Open Source! (she/her) 🎃
🐘 @onlyspaceghost@fosstodon.org
X @onlyspaceghost
- how many eslint rules do people have in their configs... I wonder if I am enabling too many xD
- [Not loaded yet]
- for sure - I'm using oxlint so should be fast!
- Did you know there are at least 139 packages on npm that start with a hyphen/dash? Curiously some of them look like CLI flags! --frozen-lockfile --fix-lockfile --legacy-peer-deps --ignore-scripts --ignore-workspace-root-check You've also got the package with a single dash for a name `-`
-
View full threadYea, it's probably how they're validating package names on the backend. I opened a PR for this in validate-npm-package-name github.com/npm/validate...
- we could patch npmx but we'd also have to patch fast-npm-meta and all other tools that rely on validate-npm-package-name 🙃
- I was thinking to myself like, someone must have intentionally published these because it's not easy to just publish a package, but I didn't make that connection 🤦♀️
- updated my thread 👀
- --legacy-peer-deps was pulled by npm as it did infact contain malicious code, good spot @lukewarlow.dev bsky.app/profile/luke...
- Maybe there are some more interesting ones out there? Just please don't install them in case they are malware! 😄
- I compiled a list here if anyone is interested, although there may be more as I'm missing some packuments from my replica cache! gist.github.com/ghostdevv/db...
- `--frozen-lockfile`, `--ignore-scripts`, `--fix-lockfile`, and `--ignore-workspace-root-check` all contain one JS file from the same author - it's pretty incredible stuff actually
- Some of these presumably must be malware designed to trick people?
- oh good point!! fortunately it's not a valid package name anymore
