2.1 Billion Downloaded Deprecated Packages NPM | Prime Reacts 

I'm glad that the Aqua Team Security Nautilus Force is out there fighting cyber crime.

I'm an NPM scavenger. I pick up deprecated repos and try to save them. Often I will update a library and add 3rd party security and maintainers will ghost, but a few libraries do sign on and transfer ownership.

Security vulnerabilities like NPM packages can also exist in third-party Java packages, go get, pip install or cargo add, PHP, etc. NPM scales way higher due to JavaScript not having std lib.

i love it when i look at a face expecting it to be solid but then i see the text behind his head.

I downloaded a 100 deprecated packages just installing npm

If leftpad didn't prove that npm was a hellscape, I don't know what will

what's the bet half of these packages are packages like isArray, isTrue or isFalse?

There's a certain level of complexity which we all can handle. Above that threshold everything becomes chaotic and unmanageable.

Dude, the devs at my client never update npm nor nuget packages. It's like they don't even know it's an option.

'Who doesn't at least align their case statements in ascending order?'. My guess it was done for performance reasons ie put the most common branches at the top. Will it actually make an appreciable difference? Depends on what the code is about and what the compiler does with it.

Aaaand what percentage of these deps are build tool related? Sure, may well be deprecated but as they're local, not sure it's much of an issue (bar dev annoyance). Also, what % of that weekly figure is entirely automated, repeated CI builds? And what % is due to pinned older Node versions (see also every other long running project in every other language)? Tho if you're a security company BIG SCARY NUMBERS mean big cash I guess

I think their definition of deprecated is a bit too broad, but the point is correct I have no problem updating packages with any other language/package manager, but with npm I feel like dependency hell is just the norm (might be a bias from especially bad projects though)

API wrappers for API wrappers was never a thing I thought would happen.

10:15 .. Working as a consultant, I see this on the regular when jumping into a client project. Serverless made it sooooo much worse as there is only so fast cloud providers will update their offerings' base versions

To be fair, this is only one of the many issues, that all package-based systems, available to the public, have. You get exactly the security and service you pay for and You can't hold anyone responsible but yourself if something goes wrong.

the placeholder code is nuts

It's possible that some of those packages not being actively maintained are simply complete. Not every package needs maintenance.

“someone (sometimes me) have to deal with the decisions that I made 8 years ago” seems more accurate in my case 😂

I remember one time passing around a node_module folder between my team because of a dependency issue, good times.

As someone that had an opensource project and archived it because I didn't care and there were better options to replace it. I understand... and would have done the same. There is no money in the vast majority of these projects (I'll just ignore the number of people who's only contribution to a fork is removing the license) and the primary reason they are rotting is the original auth is no longer working on anything that cares about the project. BTW, the projects are open source... the code is out there especially for NPM. if you are about your own project either don't take the dependency or fork and fix it yourself.

2:24 it's open source, it most likely has a licence that absolves the author of any damages. Archiving the dependency was more than they had to do in response. Anyone is free to fork fix and provide a new version

And because of that, when I want deprecate some software, I make one final release which at least adds a line which just logs on startup "software is deprecated and will not receive security fixes. Use at your own risk"

Most of us rely on deprecated packages and that's OK. It doesn't mean it doesn't work. Even when they have known security vulnerabilities it may not actually affect your code.

open source is not funded so why would they do a commitement to update them. they have no obligation.

I wonder how many of those are things like leftpad package where the content is so simple that deprecation status doesn't matter.

Is that the lorem ipsum version of code for "stock photo" images in developer articles?

The only thing js can do blazingly fast is deprecate packages

JS is purgatory, NPM is hell, Node is Tartarus

I don’t understand one aspect of low-dependency. If you strive to use only the most essential packages and write more code yourself , aintyou opening up vulnerabilities in your own self-written code which will not even be scanned for any CVEs

Does anybody know what bet did he loose ?

The code at 1:00 is core-js (probably minified)

If it's open source, why didn't Aqua Nautilus issue a PR fixing it? It's easy to point out vulnerabilities, it's another to actually fix them. I'm not surprised by essentially relying on a volunteer army.

Happy 2B downloaded deprecated packages since the posting of this video!

what happens when the Dependency Deprecation Checker becomes deprecated?

1:00 if you align your case statements you will have to put break; in case 2

As a backend developer - npm packages seem like playing catch with grenades

The issue about archiving is that it is Javascript. And things will always break in Javascript. Even if the current code is safe, a dependency eventually will become vulnerable. Meaning we have to at least change the version of the dependency in our project to avoid the risk.

I don't think a lot of the use is new companies picking stuff recently and is deprecated, but shit packages that haven't been updated in 8 years that somehow get recommended all over the place.

This literally happened to me few days ago: I installed my project on new machine, and it was... not working in most weird ways i ever seen, it was impossible to debug. I was so frustrated until i decided to remove "~" from package versions in the package.json file and re-install node modules (i never really wondered what i means before) and... problem was gone! So what happened is, if you have "~" prefix in your package version, it means NPM will install minor updates if they exist (but not major) . And in my case some random package after few years of silence got an update that freaking broke everything. BUT npm assumes minor updates wont brake anything so he happily installs them, how kind of him. Now i will never update my packages ever again 🙂

6:50 - and thats why JS needs Standard Library

I wonder how long the Nautilus tool will live until it becomes deprecated.

hoo boy, what did npm do this time?

Hey... Blue hair

There are multiple SQLite3 version most of which are no longer maintained.

I mean some packages are left-pad and don't need to be updated for decades if ever

I always hate dealing with Python dependencies because it's so bad. But NPM makes Python look like the golden child of perfect dependency management ☠️ It is worth clarifying deprecated does not equal being a security problem.

most of deprecated packages in my opinion its in devDependencies like build tools,not the actual code we use from packages

*How much businesses rely on unpaid labor. There I fixed it for you.

The JS ecosystem is just nuts anyway. If you want any sort of quality you need a package repository where they check the quality of your package and your ability to maintain it long term. You shouldn't allow random people to publish random packages....

Yes, because ain't nobody got time to keep up with the fact that the node ecosystem deprecates itself within a 6 month window. Its goddamn hell.

>npm install -g npm@latest Warning: NPM is deprecated!

When bring on a Dependency the security risk is YOUR responsibility not the developer for the package you downloaded

The CLI tells you when you are installing deprecated packages yet everyone ignores it. The “if it works” mentality is strong in software orgs

Every time I install something with npm I download a bunch of depreciated packages

That code shown doesn't work. Or at least not work as intended.

"Oh no, somebody doesn't want to provide me free updates on the stuff I use to make money!" Just try to pay the guy or fork it and fix it. Duh.

Research conducted by profound efforts of npm i everything.

And some people studies cyber security bruh 😅 we literally don't have the man power to maintain the all the code we write ...

this is also a great reason to not just do stuff like npm install is-array

has this acquia team hunger force ever heard of npm audit?

For a lot of packages it doesnt matter wether they are deprecated. I think for most frontend packages it doesnt matter if its deprecated(in the sense that a update isnt neccessary for security). I wouldnt care wether a date picker lets say is deprecated - if it works and looks good, i wont hassle with updating it.

I call it Tuesday.

Good luck dealing with outdated transitive packages

I thought npm 2 was called yarn.

can confirm tensorflow 2.10 was the last good one because fuck WSL

Is your hair thinning? It seems a little transparent

Well this will kill JS environment faster (dependency hell) . I heard the Lua hype train started while other using C#

Cant really say that I am surprised.

Thank god it was a lost bet 🙏 I was afraid to ask tbh, thought we lost u 🥺

Normalize SOMBs as apart of maintained developer artifacts.

ngl the hair doesn't look *that* bad

NPM is a dumpster fire

it is not blue, it is turquoise

Did he lose a bet or did he just use too much Rust? 😛

Gleamlang

yo jinja

How do you even have 50000 "top" packages Idk man what u doin in java script

Can I npm npm 2?

Any new developer should not write javascript and help stop the poison

Guess we should just stop to use web frameworks already, back to plain es6 JavaScript + maybe JQuery but even that is a dependency That is avoidable

To me this problem is intensely childish and misattributed. It's not a maintainer's fault for abandoning a hobby project. It's a dev's fault for running code on their machine (and their users' machines!!) that they have not audited and have not understood as the burden that it is. Like even as a kid when the internet was barely a thing I knew you weren't supposed to run random executables downloaded from the internet. People just give their trust to random code too freely. That goes for editor plugins too, super easy vector of attack.

I'm favoured, $60k every week! I can now give back to the locals in my community and also support God's work and the church. God bless America.

Most of these downloads are just people learning anyway, very unreliable number.

Love seeing the butthurt people were having over the hair for a week. Ya'll need some self reflection.

Javascript is a secure, sandboxed language so this isn't a big problem :D :D

Rust is cra(p)b, everything will evolve into it. What youtube lack is more transparency youtuber :))

Prime reads generated marketing article again. This is obviously created by aqua marketing team. As such all information there should be treated as an advert ie complete BS. Also if you do want to read the ad with this information cherry picked to make there point maybe scrub the articles first of its advertisement. But also stop reading astroturfing marketing ads.

Baffles me why english speakers haven't yet swapped deprecated for DEPRECIATED. Much funnier and accurate.

Javascript is deprecated

Lost a bet, btw

Very good for pentesters, easy vulnerabilities means easy money. So yeah all js devs, keep doing this 😂😂😂

Please deprecate that horrible hair dye. Why do people think this is acceptable?

Can you just make your hair normal.

cheap and cheap advertisement