top | item 16001273

PSA: You have 28 days to respond to NPM package takeovers, or you'll lose them

10 points| erikpukinskis | 8 years ago | reply

Learned the hard way. I got an email from a person trying to take over one of my NPM packages on November 16th. I didn't see the email until today (I don't check email very often), and NPM had already transferred the package to the third party on December 15th without my consent.

Turns out, it's laid out in the NPM policy. You have exactly 4 weeks to respond to a takeover request, or you lose the package: https://www.npmjs.com/policies/disputes

Now I've set up a canned response in Gmail to automatically respond to NPM support if they try to do it again. Maybe that will help. Makes me very nervous about my other packages though.

Seems like a pretty good attack vector for hackers.

6 comments

[+] git-pull|8 years ago|reply

As someone who just patched two abandoned projects to work with Django 2.0, I can say it's incredibly annoying when maintainer's are MIA for extended times.

That means, now I have to divert time to maintaining my own fork.

The funny thing is I'm the person doing the heavy lifting. I make the fixes, write the tests, make sure CI passes and older versions don't break, even update the change log. Everything to assure stuff is in order. All they have to do is accept the pull request and publish the package.

In my specific situation though, I was able to merge the PR to master. But had no PyPI access to publish the package.

[+] erikpukinskis|8 years ago|reply

So you feel maintainers should be responsive within 28 days, or lose their packages?

[+] borplk|8 years ago|reply

What does MIA stand for?

[+] alexdrans|8 years ago|reply

Yeah wtf, this is wrong. They should require explicitly permission before transferring ownership.

[+] Raed667|8 years ago|reply

Then NPM would be graveyard of unmaintained projects