The policy basically states that at any point you might not be able to unpublish anymore. The fact that people panicked over this just tells you how many people didn't understand the freedoms as an author they agreed to give up because of left-pad, npm stripping a package name from someone, and the overall js ecosystem where everything is a dependency, even things that shouldn't be.

damn, you didnt get to the funniest bit. The everything package uses the "require:*" or whatever is called from NPM, that requires every single version of the package. So no one can remove ANY version of their packages. I just love the existence of that feature to begin with...

That "No. I decided I don't care." Is just whole another mood.

NPM makes the AUR look civil and professionally organized.

"Worlds biggest JavaScript Toilet" tweet that

PatrickJS can put "author of everything on npm" on his resume. He should have used all capital letters, if you ask me.

At some point for some reason the software industry just collectively decided that computing shouldn't be about computers - and also that it should be crazy. Then everyone overdelivered on the crazy.

NPM " The World's LARGEST... Javascript : Toilet "...

Wait til he finds out its trash...he already knows its trash.... yep. Pre-known.

For those curious, the total size of all NPM packages combined is 24TB. Total number of packages: 3.3 million. So it's almost doable, you just need to RAID some drives and have a very fast internet.

This is awesome and prevents bad actors from stripping packages

I'd love to see the day some sort of malware spreads everywhere that just runs npm install everything if the host has node Aka how to crash the internet

Imagine if he had made the end of this everything-dependency-chain depend on the root everything-package (●'◡'●)

You can also depend on version '*', including any future versions, which further simplifies any package removal. 😂 I agree with you on go. Go does this better than pretty much any other ecosystem. And npm is right there at the bottom of the barrel.

Can't wait for everything 2.0.0 package update

In a way, the npm is a nice analogy for the Node.js community itself. Also, not allowing people to remove their packages will not prevent people from getting back at you by adding malicious code to their package as a way of protesting.

Last time I had to work on a Node project I made a mapping in Vim to dispatch a command to tmux to blow away node_modules and reinstall, because this was needed so damn frequently.

On npm, you can’t publish a package with a lower version number than the latest package.

Npm does let you host private registries. We use a custom registry as a cache for all our packages. If npm goes down we're still good.

Even if you use npm/yarn/whatev you can pull code from any registry or git service. We actively use this everyday

4:02 Patrick is a genius.

Why would you upload a package to NPM with the explicit plan to unpublish it?? How can you be so sure that a normal developer doesn't reference your package in the meantime? It doesn't need the 'everything package' for this problem to occur.

If "Head of Software *Supply Chain _Security_*" doesn't see an issue with relying your product on a free 3rd party site to begin with, then software development as an industry has much bigger problems.

everything depended cyclically on everything so it was impossible to delete period

Damnit "Primea-gin" was a good one

>Make a package >Maintain for some time >People crying for updates >"No. I decided I don't care." >Leave Gigachad move 🔥

npm also allows local packages

Today I ran into a brand new npm problem that drove me crazy! Part of it is my mistake, but I put an install step inside of my Azure AppService for a nest app. I was hitting the soft open file descriptor limit in the docker container, which led to random files inside of node_modules being only partially written to, and runtime syntax errors. Really annoying

10:18 regarding git tags, there is nothing preventing you from deleting git tags in your own repository to change code to something malicious, so it suffers from the same issue, no?

this is awesome, sad to see it go

Theo did a pretty good job explaining this better than that article.

Just curious,what happens when: 1. The package depends on itself. 2. The first package depends on a second package that also depends on first package.

"Apparently, i never been on live television before"

What if there was Everything2 that contained Everything and Everything also contained Everything2

9:55 Elm mentioned lets go

10:09 salted sha where salt is version number or someting useful?

How has it taken this long for someone to try this? And why was the name 'everything' not in use since the very beginning?

btw you can `npm i git://...`, works with bun too if you are wondering you dont have to put stuff on npm i do that

I guess there's nothing preventing you from directly installing npm packages from their Git source, right? Or do they still go through some of npm's servers? Why not make sure one of the other package managers can avoid it and work entirely from git if setup that way? Edit: Oh, I guess you would have to have the dist files built and released somewhere, right? Because you would get uncompiled source... I guess that's the missing link, how do we account for that?

Patrick deserves a bug bounty tldr; "Reaction" suggestion, ass kissing, thank you for being a motivation for someone with a "rough" past full of bad decisions. I had/have HPPD too, not fun and rare to hear discussed! If any of this is useful, it is public domain, obviously, but no matter your take on my long-for-no-reason comment. Bash me, analyze me and my analysis paralysis, whatever. Or don't even read this. Just please keep making videos! Have you seen Bill Burr's bit about Steve jobs? It is on KZbin with the clickbait title "Bill Burr Destroys Steve Jobs and His Legacy in 5 Minutes". You can feel the awkwardness from the Apple purists through the screen. It is hilarious and satisfying! He asks a big question, I would love to hear your take and the interaction with twitch. I consume your content for the same reason I do his. You are transparent, never afraid to be the joke, and shit on your own flaws/failures just as much, if not more, than other people's. Even better is when we weren't thinking it, but should have been, it was obvious. Somehow culture, society, whatever somehow shaped us all to not think that way. Now we are all laughing at not just the joke, but ourselves, and we f^*ing learned to be more humble and free thinking! FIRE! love that shizz... The first video of yours hooked me so hard, super hard! I don't remember which it was, but you WENT IN on stack overflow, and I was crying laughing. It was like the nerd version of when Burr shit on Philly for fifteen minutes straight in their own city. I recommend that if you haven't seen it. It has nothing to do with coding so more of just "if you liked that one, check this one out" My past includes heavily drinking since teenage years, quite a few years of HPPD in my 20's from heavy "hippy drugs" usage (tryptamines, MDMA, half of Alex Shulgin's book, Ketamine, nitrous, etc...), ruining a scholarship, it keeps going, you get the point. You being so open about yours is f&^king motivational! Role model seems corny and too much like just emulating someone. My approach is to steal certain specific ways of thinking from people like you or Lex Fridman, Bill Burr, Joey Diaz, for example. I may never come close to the level of whatever quality I want to borrow, but that is stupid to think about. Just keep making those baby steps, that is the way, you put it more eloquently in some video. okay, I am going to STFU now. I did not kiss your ass and make up a "rough" life to get you to take my video request. Even though that would be hilariously pathetic! I am just confident it would make for some great content and selfishly want to see you and chat talk about it. I wish you and the family the best! I push the like button bro. I have been at work and pulled out my phone to double check that your video I watched the night before had my thumbs up. I am still a baby at coding, seriously just BASH scripts and markup/down(I don't know the diff...) but my first project is going to be some kind of overlay for specific KZbin channels as a FF extension reminding me to click like.

"hey, wanna see a black hole?". types "npm install everything" and hits enter

Git tags can be deleted or replaced though, so they aren’t immutable either?

I agree with you here: Go just has the superior managment. Whatever git it is hosted on, you can add it.

In (IIRC) Theo's reporting of the thing, there were comments highlighting complaints about not being able to unpublish because of this. I'm of the mind that many of those complainers were disingenuous because either they didn't have modules in npm in the first place, they probably didn't even follow decent principles of reducing their own need for external dependencies, and/or when publishing to npm probably just put stuff up will-he-nill-he without decent versioning practices or even using unpublish in the first place.

"Rule 34 of America is that whatever idea you have of someone doing, there is an American that is doing that" truer words were never spoken on this channel

lol did you not watch Theo's thing about this the other day? He kinda sniped you tbh. Had Patrick on like you talked about and everything.

Yo, isn't versioning kinda very very awakward when using git as package repo?

it was literally like a 5 minute bug that just required an upgrade/update of powershell/terminal, package manager, and reboot device lol. was just annoying

And here I thought Composer (for PHP) had issues

still laughing about that github issue 😂

The creator should called it "lockchain" instead of "everything"

package hash + decentralized registry, is the only way to go

I love you more than a friend

Glad I don’t use that many packages.. and really strays away from these managers for JS.

Git for package management is a terrible idea. Versioning is always trash in Go.

Never watched this dude stream. How often does he look into the camera and do the "the name is the promagen" thing?

What a great idea... And one breaking the NPM's service terms at that! That package doesn't serve any specific purpose other than exploiting the service's mechanics,

Of course TrashDev jambongled the whole JavaScript ecosystem 😂 True TypeScript GIGACHAD 💪

Worlds largest javascript toilet XDDDD 2:20

The name is a-drinks-a-gin

lol your comments about Go and git are basically identical to my comments on Theo's video about this.

Lol did they really add a feature to download all the packages unironically?

everywhere all at once

Get his point of view!

Hello my name is Adam and i'm 15 years old. I started programming 2 years ago, like in C++ and C# not js. And I'm just coding for fun on average of 2h per day. But how ever programmer in his career I faced the imposter syndrom and I don't know am I writing good code, am I writing code fast, because I do it for fun I cannot compare myself to annyone? This was of the topic for this video but would love your and everyone else opinion Keep up the good work!

And people don't understand why I prefer languages where there is NO - literally NO - package management. Just clone that shit code from github/lab/gitea/etc and its fine. Also npm makes people so lazy to never look at what the packages really do that I routinely have found HUGE bugs - like in the electron-compatible named pipe package and such...

If you depend on "*" why on earth would you care if the last version is deleted? This literally means you don't care about the version, so just use the previous one and that's it lol

I hope Patrick goes on your stream 😂

One thing I have to ask is, are big orgs that does web things NOT having their own mirrors of repositories? Half of Maven's repos could go away tomorrow, and we'd not even notice, since everything we use has a mirror. (We use JFrog, which let's you do NPM as well, so I don't get it) Everytime I see someone poking fun at the Java dev experience, I can wait two days and the cool kids with their typescripts and their treeshakes run balls first into something that we solved like 20 years ago. At some point being a Java dev is both looking forward to getting whatever's new and cool five years after everyone else, but also looking at the sheer clownery that is pretty much everyone else. You should be able to look whomstever is capable of fixing this straight (or gay, I mean, I'm not trying to heteronormatize you or whatever) in the eye and say that JAVA has fixed this, there is NO EXCUSE.

just npm install --force until its totally unusable, then fix

Def prefer your reaction to this as opposed to theos 😂

I’m viewing this from the past? 4:23 you see the date os set to 4/01/2024 lol top left

does somebody know how bun resolves this kind of stuff?

Ah, yes. `npm install *

Pip is peak

When you inspect the index.js from the package, only one message : `console.log('You have installed everything... but at what cost?');` 😅

pypi is cool

Npm is a pain.. Just delete that from internet

There were some comments laughing at how angry people were on the issue on github, but the people commenting were probably experiencing some situation that was already frustrating, compounded by finding out some guys with too much free time were just messing around. Furthermore, the people at npm probably had other stuff to do, being called up because some dudes were trying to be funny and failed to see what the consequences of their abuse of open source would have. The actual number of contacts they got is probably significantly higher than what we can see. I personally was not effected and so I don't care. I do however, find the fact that the left pad incident is referred to as such is quite funny. Npm and node were probably a mistake but a mistake that has taught us a lot of good lessons. It would just be nice if people who are not malicious actors don't try to abuse the system.

Should I still using node or switch to Java?

i literally fail to see what the problem here was

God damNPM i am early!

Man, this article was pretty bad compared to Theo's coverage of the incident

Another confirmation that JavaScript is just larping as a real programming language 😂

Nobody installs everything...these kind of packages are just created to be able to later make a blog post or a video to trash talk on JS...

Nobody uses git decentralized ??? cmon.

I guess I don't find it impressive or funny. The only thing impressive is that the jackass said "oops sowies" and the internet believes there was "no malicious intent".

Can we just agree to stop using JS😊

This article makes JS seem like the worst language of all time

you know that trash dev was involved in it right?

I am vindicated in my view that JS is trash. I should feel happy. I am not.

One more reason to utterly abhor JavaScript programmers.

npm is hell literally🤣

Why are you encouraging the troll? For the lulz? That's idiotic

Node and npm are complete garbage heaps

installing all npm is also installing virus

first

Thoughts and prayers for JS devs.