Uglifyjs: Incorrect package on npm not keeping up to date

Hmm... if there was a central location to gather information and share information about outdated packages, we should promote them actually...

Sadly this isn't a problem that can be solved easily by us and might be hard to solve for npm themselves (they have to collect data anyway, take contact with the owner, avoid legal disputes, etc...). So one should fix this by raising awareness of these issues.

I know it could be potentially difficult, but there does seem to be an email (under a Chinese domain): [email protected]

I do question the email domain name, though, given its origin. I'm not saying that merely having a Chinese domain name is bad, but that combined with the close match in package name is why I say that.

We might want to notify eventual users of the outdated package to not use it since there are some who dependent on them are listed.

Edit: fix typo

npm has some policies in place to handle disputes, though I don't know how serious npm is about outdated clones or which tools they have in place if they do have some.

https://www.npmjs.com/policies/open-source-terms#npm-policies

Anyway, I'm pretty sure it's not likely we would use the name ourselves unless it's very easy for the maintainer to maintain (by doing close like symlinking/aliasing).

Another project using the wrong uglify npm module name:

https://github.com/samccone/The-cost-of-transpiling-es2015-in-2016/issues/27

@mishoo Regarding the uglifyjs npm module -

https://docs.npmjs.com/misc/disputes

Handling Module Name Disputes

Synopsis

Get the author email with npm owner ls <pkgname>
Email the author, CC [email protected]
After a few weeks, if there's no resolution, we'll sort it out.
Don't squat on package names. Publish code or move out of the way.

I just wrote him, let's see what happens

Potential security implications of mistyped npm module names - uglifyjs was mentioned as a common module typo:

https://blog.liftsecurity.io/2015/01/27/a-malicious-module-on-npm

See also:

https://www.kb.cert.org/vuls/id/319816

I confirm I got no response from the author neither npm. I will open an issue on the npm website, hope this can help.

Ping @mishoo. I believe you're probably the best one to create an official dispute. It is potentially misleading, although I do disagree with this bug saying it's malicious (I found nothing incriminating at a detailed glance, but I'm not a security professional).

Welcome to the world of recursive feedback (or ending up in the need of it).

This is getting closer and closer to the undefined side of justice, where trust have to be earned and justice has to follow though... Eventually, everybody will face the consequence of something "they can not forcee" (based on the fact everbody has to trust mishoo, "the one who shall solve everything").

So this is conflicting that actually, the owner is responsible to notify the users about something malicious (and lots of things, so the owner will end up in fatigue anyway). The third parties and infrastructures have to ease communication and the users have to follow orders from the owner "if they don't want to complain".

Since this is an issue that will always pop up, it is impossible to solve this. However, everybody can still contribute to a better world by being nice and just to say "hey, you should be doing that" and accept any consequence the maintainer of that code will do (which can be a large packet or just a snippet using uglifyjs).

I agree that the package looks harmless, but it creates confusion. I sent an email involving [email protected]. Let's see how it goes. Remind me to ping them in 4 weeks if nothing happens.

@mishoo There are two problematic npm modules in question:

• https://www.npmjs.com/package/uglifyjs (v2.4.10)
• https://www.npmjs.com/package/uglify-js2 (v2.1.11) cited by do/while/break issue https://github.com/mishoo/UglifyJS2/issues/1075#issuecomment-218006376

The latter one https://www.npmjs.com/package/uglify-js2 is owned by you and can be fixed.

There is another npm module name variation, uglifyjs2, but it outputs this message upon install:

Did you mean 'uglify-js'? https://github.com/mishoo/UglifyJS2

I believe that https://www.npmjs.com/package/uglify-js2 ought to do the same.

@mishoo @rvanvelzen

Remind me to ping them in 4 weeks if nothing happens.

51 922 downloads in the last month of the incorrect uglifyjs npm package:

https://www.npmjs.com/package/uglifyjs

@kzc uglify-js2was transferred to @mishoo who updated it with the redirect.

Has anyone actually reached out to [email protected] regarding uglifyjs? I don't see any confirmation from @mishoo that they did?

If you do contact [email protected] and for whatever reason don't get a reply, please feel free to reach out to me directly, I'm iarna on freenode and @ReBeccaOrg on Twitter and I can go stand by the right desks to get ya an answer. =)

Has anyone actually reached out to [email protected] regarding uglifyjs?

The top post was referring to this package: https://www.npmjs.com/package/uglifyjs

I'm assuming that's what @mishoo was referring to when he wrote:

I agree that the package looks harmless, but it creates confusion. I sent an email involving [email protected]

Can you simply enable the redirect of uglifyjs to uglify-js?

/cc @rvanvelzen

@kzc _I_ can't do anything. I encourage you to mail [email protected]. Or if someone wants to confirm that they _have_ and haven't gotten a reply then I'll go poke the support team.

Thanks. I'll leave it to the package owners to follow up.

/cc @mishoo @rvanvelzen

So I asked support to do a little digging, their last communication was with @mishoo where they said (in July of last year):

I apologize for not following up on this sooner. It looks like Mytry has not replied to your request.

We would not unpublish the package from our end, because there are many dependents, but you could go through the package transfer process (described here: https://www.npmjs.com/policies/disputes) and request that we transfer the package to you, then you could deprecate it.

@mishoo never followed up so no transfer was ever done.

To move this forward someone needs to follow that process with [email protected]. This isn't something I can do for you.

Thanks @iarna

/cc @rvanvelzen

Thanks to @STRML I now have control of https://www.npmjs.com/package/uglifyjs2

@mishoo already has https://www.npmjs.com/package/uglify-js2

So only https://www.npmjs.com/package/uglifyjs left - I've sent an email to the author as per https://docs.npmjs.com/misc/disputes#tldr

@kzc what do you suggest we do aside from npm deprecate uglifyjs2 "UglifyJS is at uglify-js, not here. See https://github.com/mishoo/UglifyJS2"?

@alexlamsl How about uglifyjs2 is deprecated - use uglify-js instead.

No reply at all from owner of https://www.npmjs.com/package/uglifyjs, so I've just sent another email to npm to ask about the transfer.

@gaearon: Regarding https://twitter.com/dan_abramov/status/859688075307474944

The npm package "uglifyjs" is a name squatter. The project is trying to acquire this name.

My 2 cents: NPM team is fantastic at this. If it's a name squatter/empty name/etc, the first thing to do is email the owner AND CC NPM's support. Seems like that's what you did in the end, wish I had seen this issue 12 months earlier and saved you some time/headaches.

Regarding uglifyjs, npm team has sent an update with a deadline set on 15^th May. So this may actually get resolved once and for all.

So what exactly happens on May 16 with respect to the uglifyjs npm name and what work is required?

Glad you asked :wink:

I've pinged npm team a few hours back confirming the lack of response from the current owner of uglifyjs, so I suspect I'll get to issue:

npm deprecate uglifyjs "uglifyjs is deprecated - use uglify-js instead."

Soon :tm:

I don't think deprecating uglifyjs is sufficient.

Since it was never an official package it should be replaced with an empty package.

Since it was never an official package it should be replaced with an empty package.

Sounds good - is a single skeleton package.json all that is required?

Sounds good - is a single skeleton package.json all that is required?

Might need an index.jsfile that prints "uglifyjs is deprecated - use uglify-js instead."

Took over uglifyjs and published a deprecation package and message.

Thanks for seeing this to completion!