Incident report: npm, Inc. operations incident of January 6, 2018
This summary is created by Generative AI and may differ from the actual content.
Overview
On Saturday, January 6, 2018, we incorrectly removed the user floatdrop and blocked the discovery and download of all 102 of their packages on the public npm Registry.
Impact
Some of those packages were highly depended on, such as require-from-string, and removal disrupted many users' installations.
Trigger
a package was published that contained spam content plus the README for floatdrop's legitimate package timed-out. Because of the matching READMEs, our spam system flagged floatdrop as associated with the spammer. In the course of reviewing and acting on spam reports, an npm staffer acted on this flag without further investigating the user and removed the user and all of their packages from the registry.
Detection
Within 60 seconds, it became clear that floatdrop was not a spammer-and that their packages were in heavy use in the npm ecosystem. The staffer notified colleagues and we re-activated the user and began restoring the packages to circulation immediately.
Resolution
We re-activated the user and began restoring the packages to circulation immediately. Most of the packages were restored quickly, because the restoration was a matter of unsetting the deleted tombstones in our database, while also restoring package data tarballs and package metadata documents.
Root Cause
Our systems incorrectly flagged floatdrop, and npm personnel mistakenly removed their account.