Packages that name-squat on built-in module names #85

Trott · 2020-11-06T14:25:39Z

Trott
Nov 6, 2020

I don't know if this is the only case of this, but I notice that https://www.npmjs.com/package/https is six years old and consists of only a package.json file. No code, no documentation, etc.

Fortunately, in the generic case, installing this module doesn't break anything for people. require('https') does what it is supposed to do and the user gets the built-in module.

Considering that https is a built-in module in Node.js, I imagine most of the quarter of a million weekly downloads just end up with a package they don't need. But it can break people's code in some cases. I don't know how common that is or if it will become more common as tools do ever more interesting things with node_modules.

But fundamentally, from a user perspective, the fact that the module exists in the registry is surprising, the fact that installing it will install something that then has no effect is surprising, etc.

And there's nothing (that I'm aware of) to stop the author from adding a subdirectory and code and documentation and then require('https/foo') will do stuff and it will be a mess.

I know unpublishing has a rather high bar in a post-left-pad world, but I wonder if packages like this might be best replaced in the registry in such a fashion that they install nothing at all, return a success code in the CLI, and maybe print an advisory message telling the user that they are trying to install a built-in module and so it had no effect. Maybe this requires no registry change at all and just a change in the CLI (to not install certain built-in module names) and a change in the website to either not show these modules or else explain that they are built-ins and do not need to be installed. I guess the CLI change may need to behave differently with private registries (in case people are actually publishing stuff like this privately? I hope not) but at least in the public registry?