Express: 4.18.0 release

cc @dougwilson

I have never made a 4.18.0 release, so no idea what to say on this issue.

Your text shows a different registry than the official npm registry. I know at work we use Artifactory as a bridge and someone can (but we don't allow it) publish a new version that shadows a real module. Maybe that is what you're showing here? Who manages that registry? Perhaps they can see who published a 4.18.0 to it?

Ok, thanks for the fast response. We will check that again. I'm not exactly sure why this was in the verdaccio registry.

See https://github.com/verdaccio/ui/issues/374#issuecomment-568930138

I'm still not sure what to say, as I never published a 4.18.0 version. Perhaps we need to contact the npm registry? What is the issue exactly, though? Something that needs to be looked into on Christmas Day :) ?

Nothing critical and nothing to check now =) Please enjoy the holidays.

Ok, sounds good. I can always reopen this if there is something else you need me to look into or check.

So I looked in my email, and I keep all my emails where there is a npm package publish confirmation. I don't have one for an express 4.18.0 publish (as I would expect). But I'm not sure if those emails only go out to the person who does the publish or if it always goes to all owners of the module. If the former, then that makes sense why I don't have one, because I never did such a publish, but maybe there was an unauthorized publish? If the latter, than I have no idea how that registry mirror would have seen a phantom version.

I emailed npm support about it, to take a look on their end. If I get a response, I will post it here. There was an auto response that they are not working yesterday and today and so there will likely be a long delay due to a backlog of cases that would have built up.

I believe that it goes to all publishers/owners. I double checked the versions page and there are no 4.18.* releases on that. Hopefully this is just a fluke, but it would be really bad if there was an unauthorized publish and they did not alert you. If there is some urgency to this (and we can prove it is not a miss-configuration on your proxy) I can try to see if there are people at npm who can look into it.

Well, it was about 3 months ago. I would have expected that this was already known due to the amount of users.

We got the update through dependabot.

See https://github.com/verdaccio/monorepo/commit/01f61e69f3205f269f050dd828f15c4a5a4dac13

I would have expected that this was already known due to the amount of users.

That same fact leads me to believe that it is your setup. I don't know what dependabot does, but for sure it installed from your mirror, so I would strongly guess that it is your setup. Not an erroneously published version.

FWIW, here are all the public issues / PRs about dependabot, express, and 4.18.0: https://github.com/search?q=dependabot+express+%224.18.0%22&type=Issues

As an extension for what @wesleytodd is saying, I would think that if this was actually on the public registry, then there would be at least _one_ other instance of dependabot opening a pull request somewhere on public GitHub?

The only search results are this issue here, two that are actually about eslint 4.18.0, and three on verdaccio repos.

@DanielRuf if you're really invested to know what happened here, perhaps we should be working backwards from where we know there was a 4.18.0? For example, it seems to show it being in the verdaccio registry mirror. Are there logs that show how it got there, exactly? Like for example the specific date and time it appeared in the verdaccio registry and where the tarball came from? Maybe even the contents of the tarball, which might shed some light also as to it's purpose?

@juanpicado can you provide more details?

Are there logs that show how it got there, exactly?

No, we don't have a good setup to save or track log backwards unfortunately. Unique track I found is this

        "4.16.4": "2018-10-11T03:59:14.308Z",
        "5.0.0-alpha.7": "2018-10-27T03:12:11.060Z",
        "4.17.0": "2019-05-17T01:57:40.690Z",
        "4.18.0": "2019-05-18T14:39:53.454Z",
        "4.17.1": "2019-05-26T04:25:34.606Z"

in one of my local storages, curiously I just noticed Verdaccio 4 was released on May 19th. Perhaps someone of the team (@sergiohgz or @ayusharma) just published a fake version of express for demonstration purpose.

Like for example the specific date and time it appeared in the verdaccio registry and where the tarball came from?

First time I noticed was reported by an user https://github.com/verdaccio/verdaccio/issues/1484 after we setup dependabot (https://github.com/verdaccio/monorepo/pull/93) and in August 28th we got that PR.

Maybe even the contents of the tarball, which might shed some light also as to it's purpose?

I could not find one.

I think was just a mistake, it never happened again, so, I assume issue was in our side.

As an update here (mainly for @wesleytodd) I go a response from npm that there has never been a 4.18.0 published to their registry for the express module, not even one that was published and then unpublished. They track the unpublishes as once a version is published, unpublishing will still block the use of publishing again under that same version number.

That is the policy I thought they had. Seems more and more likely that this was a verdaccio bug.

Yea. Honestly I was a bit worried that perhaps it was some kind of security issue somewhere. Express being a large target it is always something on m mind.

Yep, same concern here. Glad you emailed them to make sure it was sorted out!

If either of you figure out the cause it would be great to hear an update @juanpicado or @danielruf. Hope you can figure it out.

hi, digging a bit more on this topic, I would like to confirm this was just a big miss-understanding. I just checked the blog post and one of the pictures you can observe v4.18.0 which was just merely for demonstration purpose, even jQuery is on v4.0.0 (which do not exists). I will advocate our maintainers to do not use the registry for these matters in the future which can easily corrupt our registry and create issues like this one.

Sorry for the confusion and have a happy new year 🎉 .