undefined | Better HN

0 pointskodablah8y ago0 comments

This does not alleviate the issue where you can reuse package names. I suppose they believe what they mark as spam packages won't be used enough or is already bad enough that reusing the name is harmless. And they probably also believe that they can catch fuckups in a day. I don't think either are necessarily true and are only true in this case because it hit popular dep trees. But what happens when something is erroneously marked as spam that's not as popular and the downstream dependents don't realize in 24 hours? If the problem is that "placeholders" are too heavy, then they could be made lighter weight or put some rules around when they will add them and when they won't.

0 comments

testplzignore8y ago

My guess is that the cost of the placeholders is indeed what is driving their decision, though perhaps it is a premature optimization.

Maybe they've had situations where a spammer has created a very large number (millions, billions?) of packages. It's possible that the majority of user submissions are automated spam from botnets. I would assume npm has some mitigations in place to prevent this abuse in the first place, such as rate limiting and captchas, though maybe that's not enough to stem the tide.

Though, given that they say they have humans doing the package deletion, that makes me think that the number of spam packages created can't be that high. Certainly not high enough to outweigh the risks of package name reuse. Increase your prices a few pennies a month so you can afford to store the placeholders forever.

j / k navigate · click thread line to collapse

0 pointskodablah8y ago0 comments

0 comments

testplzignore8y ago

My guess is that the cost of the placeholders is indeed what is driving their decision, though perhaps it is a premature optimization.

j / k navigate · click thread line to collapse