One of the developers of JavaScript packages introduced an experiment on the NPM repository. The experiment involved the creation and placement of the package “EVERYTHING“, which includes dependencies for all existing packages in the repository. The package “EVERYTHING” is connected to direct dependencies with five packages named “N”, and each of these packages is linked to over 3,000 sub-chunk-n packages, with each sub-package being bound to 800 existing packages in the repository.
The placement of the “EVERYTHING” package in NPM has resulted in two interesting effects. Firstly, the “EVERYTHING” package has become a tool for conducting DOS attacks. Attempting to install the package leads to the loading of millions of packages in NPM, which can exhaust the available disk space or halt assembly processes. According to NPM statistics, the package has been loaded approximately 250 times. However, the package can still be added as a dependency to other packages by manipulating the developer’s account. This has affected services and tools that monitor and check new packages in NPM which were involved in the attack.
Secondly, the publication of the “EVERYTHING” package has effectively blocked the removal of any packages in NPM that are listed as its dependencies. Normally, a package in NPM can only be removed by its author if it is not being used as a dependency by other packages. However, after the publication of “EVERYTHING,” all packages in the repository became dependent on it. Interestingly, attempting to remove the “EVERYTHING” package itself is also blocked, as a test package “eVrything-else” was added to the repository 9 years ago, which contains a list of dependencies that includes the package “EVERYTHING.”