> Contrary to what npm states, this package actually depends on one of our aforementioned spam packages. This is a by-product of how npm handles and displays dependencies to users on its website.<p>For me personally, this is the biggest surprise and takeaway here. By simply having a key inside package.json's dependencies reference an existing NPM package, the NPM website links it up and counts it as a dependency, regardless of the actual value that the package references (which can be a URL to an entirely different package!). I think this puts an additional strain on an already fragile dependency ecosystem, and is quite avoidable with some checks and a little bit of UI work on NPM's side.
How about removing the incentive? Take down every package with tea.yaml in it, after say 1 month's warning, so legitimate packages trying to use it don't leave their users in the lurch. The tea protocol is clearly not going to accomplish what it set out to (see below), and is instead incentivising malicious behaviour and damaging the system it set out to support.<p>From <a href="https://docs.tea.xyz/tea/i-want-to.../faqs" rel="nofollow">https://docs.tea.xyz/tea/i-want-to.../faqs</a>: "tea is a decentralized protocol secured by reputation and incentives. tea enhances the sustainability and integrity of the software supply chain by allowing open-source developers to capture the value they create in a trustless manner."
Why are these spam accounts not perma banned and removed?<p>For example, this[1] account mentioned in the article has 1781 packages of gibberish.<p>Also, the whole reporting process is onerous, there is a large form. Of course, gatekeeping on reporting is good, but there should be a possibility to report an entire profile of package publisher.<p>[1] <a href="https://www.npmjs.com/~eleanorecrockets" rel="nofollow">https://www.npmjs.com/~eleanorecrockets</a>
> Next, because the AI hype train is at full steam, we must point out the obvious. AI models that are trained on these packages will almost certainly skew the outputs in unintended directions. These packages are ultimately garbage, and the mantra of “garbage in, garbage out” holds true.<p>hmm, inspiring thoughts. An answer to "AI is going to replace software developers in the next 10 years" is to create 23487623856285628346 spam packages that contain pure garbage code. Humans will avoid, LLMs will hallucinate wildly.
The Tea protocol's flawed incentive model is a disaster, effectively encouraging developers to pollute npm with spam. It's a prime example of what happens when protocols prioritize quantity over quality, compromising the entire ecosystem.
TLDR:<p>1. a cryptocurrency scheme for funding OSS development[1] is incentivizing spammers to try and monetize NPM spam<p>2. it's easy to spoof your dependencies with package.json[2]<p><pre><code> "dependencies": {
"axios": "https://registry.npmjs.org/@putrifransiska/kwonthol36/-/kwonthol36-1.1.4.tgz"
}
</code></pre>
[1]: <a href="https://tea.xyz/blog/the-tea-protocol-tokenomics" rel="nofollow">https://tea.xyz/blog/the-tea-protocol-tokenomics</a><p>[2]: <a href="https://www.npmjs.com/package/sournoise?activeTab=code" rel="nofollow">https://www.npmjs.com/package/sournoise?activeTab=code</a>
I was sad to read this and thought "this is why we can't have nice things."<p>But following the links was fun and educational:<p>"The end goal here [of the Tea protocol] is the creation of a robust economy around open source software that accurately and proportionately rewards developers based on the value of their work through complex web3 mechanisms, programmable incentives, and decentralized governance."<p>Which lead to:<p>"The term cobra effect was coined by economist Horst Siebert based on an anecdotal occurrence in India during British rule. The British government, concerned about the number of venomous cobras in Delhi, offered a bounty for every dead cobra. Initially, this was a successful strategy; large numbers of snakes were killed for the reward. Eventually, however, people began to breed cobras for the income. When the government became aware of this, the reward program was scrapped. When cobra breeders set their snakes free, the wild cobra population further increased."<p>Which lead to:<p>"Goodhart's law is an adage often stated as, 'When a measure becomes a target, it ceases to be a good measure.'"
I recently stumbled upon a bunch of repos which were clearly copied from popular projects but then renamed with a random Latin name and published to npm.<p>I reported some of them as spam, but there were hundreds of them. I couldn't figure out why somebody would waste the time to do that, but now it makes sense.
There was a similar thing to tea a while back. I think I saw the project posted on here. Went to their github and found a typo in their Readme. Opened a pr with a correction and then they started sending me about a dollar in btc every month till they ran out of money and the project imploded.
I am really interested if that really matters.<p>Package managers often comes with rating system. npmjs has weekly downloads, pull requests, and other popularity scores.<p>I am layman in AI, but why would anyone think that this would affect anything, like AI? Why would anyone train on noname package, that noone uses?<p>Stats for spam packages can have higher-than-none stats, but that also makes them vulnerable for sweep removal of all potential spam packages, since they are connected, etc. etc.<p>Any credible company will not use a noname spam package, will verify their contents. That is at least what happened in all companies I have worked for.
I wonder what is the long term plan.<p>Maybe the next step is to sell the control of all these packages to a rogue entity to be used for a supply chain attack?
Tea is absolutely NOT "taking steps to remediate this problem". They are grifters and part of their grift is claiming to take steps when called out.
I'm fairly proficient in Javascript, but mismanagement of the ecosystem like this is a major reason why any time I see that something requires Node.js, I just turn and run in the other direction. It's just not worth the headaches.
I mean realistically it's representative of the Internet as a whole. Makes me wonder where all the porn packages are.<p>The pulling in of unexpected dependent packages is a real issue though, how do other ecosystems deal with it? NPM is really missing some level of trust beyond just using "brand name" packages.<p>My general judgement is usually how often it's worked on/how many downloads it has but gut feel isn't really enough, is it?