Seems to be a change in Cloudflare's managed WAF ruleset - any site using that will have URLs containing 'camel' blocked due to the 'Apache Camel - Remote Code Execution - CVE:CVE-2025-29891' (a9ec9cf625ff42769298671d1bbcd247) rule.<p>That rule can be overridden if you're having this issue on your own site.
Any path with the word "camel" seem to trigger this: <a href="https://www.npmjs.com/search?q=camel" rel="nofollow">https://www.npmjs.com/search?q=camel</a> | <a href="https://registry.npmjs.org/camel123" rel="nofollow">https://registry.npmjs.org/camel123</a> | <a href="https://registry.yarnpkg.com/camel456" rel="nofollow">https://registry.yarnpkg.com/camel456</a><p>Some discussion here <a href="https://github.com/npm/cli/issues/8203" rel="nofollow">https://github.com/npm/cli/issues/8203</a><p>Edit: this is resolved now <a href="https://status.npmjs.org/incidents/hdtkrsqp134s" rel="nofollow">https://status.npmjs.org/incidents/hdtkrsqp134s</a>
This is not CF WAF's first rodeo <a href="https://news.ycombinator.com/item?id=20421538">https://news.ycombinator.com/item?id=20421538</a><p>Cementing its track record as a product that mostly doesn't do anything except for occasionally break the internet here and there to keep things fun and interesting.
The npm folks have officially acknowledged an incident now: <a href="https://status.npmjs.org/incidents/hdtkrsqp134s" rel="nofollow">https://status.npmjs.org/incidents/hdtkrsqp134s</a>
Outsourcing WAF is a double-edged sword.<p>I would have thought a large company like GitHub or Microsoft can have their own WAF team for their apps.<p>(NPM is owned by GitHub, and GitHub is owned by Microsoft)